15-437 Security Theory

Transcript

1. Web Security Thierry Sans

2. Securing the web architecture means securing ... • The network

   • The operating system • The web server (Apache for instance) • The administration server (SSH for instance) • The database (Oracle for instance) • The web application Our focus here!

3. Vulnerability Likelihood
   source “WhiteHat Website Security Statistics report 2015” from

   WhiteHat Security

4. Problem Server Side Client Side Web Server Database Web Browser

   You have absolutely no control on the client

5. Incomplete Mediation

6. The Shopping Cart Attack order=(#2956,10,9,90) Server Trusted Domain Client Trusted

   Domain * Notice that Amazon is not vulnerable to this attack * Thank you for your order! The total is calculated by a script on the client The order is generated based on the request 10

7. Solution ๏ The client side is not a trusted domain

   ✓ Sensitive operations must be done on the server
 i.e within the trusted domain

8. Information Leakage

9. Information Leakage “AT&T Inc. apologized to Apple Inc. iPad 3G

   tablet computer users whose e-mail addresses were exposed during a security breach disclosed last week.” source Business Week - June 14 2010 “There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.” source Praetorian Prefect - June 9 2010

10. Solution ✓ Authentication • Who are the authorized users? ✓

    Authorization • Who can access what and how?

11. Insufficient Transport Layer Protection

12. Do you trust the network? interesting! id=scACRSm... <html><...

13. Do you really trust the network? I am id=scACRSm... <html><...

14. Problem ๏ An attacker can eavesdrop messages sent back and

    forth ๏ An attacker can tamper with messages sent back and forth

15. Confidentiality and Integrity Confidentiality: how do exchange information secretly? ✓

    Encryption Integrity: How do we exchange information reliably? ✓ Digital Signature

16. Generic solution - HTTPS ➡ SSL provides • end-to-end secure

    channel (confidentially) • authentication handshake (integrity) ✓ HTTPS = HTTP + SSL


17. Self-signed certificate Do I trust this certificate? Step 0 Generate

    the certificate Step 1 Show me who you are? Step 2 Here is my certificate?

18. Your browser cannot verify the certificate

19. Certificate Authority (CA) Do I trust this certificate signed by

    Thawte? Step 1 Show me who you are? Step 0 Generate the certificate Step 2 Here is my certificate?

20. Your browser trusts some CA by defaults

21. When to use HTTPS? We need to protect • Login

    and password • Session ID ✓ HTTPS must be used during the entire session

22. Authorization ➡ Define a security policy and enforce permissions 


    on each url (including media files) ✓ based on what you know about the user (session) ๏ but not on what the user claims (query string, cookie)

23. SQL Injection

24. SQL Password Checking Attack Access Deny! name=Alice&pwd=123456 checkPassword.php loginPage.html whatever\”

    OR 1=1 Access Granted! <?php $uid = SQLQuery("SELECT uid FROM LoginTable WHERE login=" . $_POST['name'] . "AND password =" . $POST['pwd ']); if ($uid) echo "Access Granted"; else echo "Access Denied"; ?>

25. Problem ➡ An attacker can inject SQL code ๏ Retrieve,

    add, modify, delete information ๏ Bypass authentication

26. Generic Solution ✓ Escape all special SQL parameters according to

    the quoting conventions of the database server you are using


27. Content Spoofing

28. comment = “<a href=”myad.com”>Fun stuff ... * Notice that Youtube

    is not vulnerable to this attack GET /?videoid=527 <html ... GET /?videoid=527 <html ... Content Spoofing The page contains the attacker’s ad.

29. Problem ➡ An attacker can inject HTML tags in the

    page ๏ Add illegitimate content to the webpage 
 (ads most of the time)

30. Cross-Site Request Forgery

31. GET View/?profileid=53 GET Delete/?profileid=53 ??? ...... GET setProfile/?url=Delete/?profileid=53 GET View/?profileid=86

    <img src=”Delete/?profileid=53 GET Delete/?profileid=53 Hey Alice, check my profile id url name 53 www.alice.com/ profilepic Alice 86 www.badwebsite.com/ Delete/?imageid=53 Charlie www.badwebsite.com <img src=”www.alice.com/profilepic Done! profileid=86 GET profilepic www.alice.com

32. Problem ➡ An attacker can call do HTTP request by

    injecting url-based HTML tags in the page that the browser will retrieve automatically ๏ Inject an image content ๏ Insert any HTML content for which the CSS image background can be defined

33. Generic Solution ✓ Protect legitimate requests with a CSRF token

    GET /getFormView response POST request CSRF Token POST request

34. Cross-Site Scripting (XSS)

35. Cross-Site Scripting Attack (XSS attack) name=CMU “Hello CMU!” “Hello <script

    language="javascript">alert(“XSS attack”);</script>!” name=<script language="javascript">alert(“XSS attack”);</script>

36. XSS Attack = Javascript Code Injection

37. Problem ➡ An attacker can inject arbitrary javascript code 


    in the page that will be executed by the browser ๏ Inject illegitimate content in the page
 (same as content spoofing) ๏ Perform illegitimate HTTP requests through Ajax 
 (same as a CSRF attack) ๏ Steal Session ID from the cookie ๏ Steal user’s login/password by modifying the page to forge a perfect scam

38. Solution ✓ Sanitize “tainted” output data 
 i.e data made

    from input data

39. comment = “<script> ... * Notice that Youtube is not

    vulnerable to this attack login=Alice&password=123456 GET /?videoid=527 <html ... GET /?videoid=527 <html ... The script contained in the comments modifies the page to look like the login page! Forging a perfect scam

40. It gets worst - XSS Worms Spread on social networks

    • Samy targeting MySpace (2005) • JTV.worm targeting Justin.tv (2008) • Twitter worm targeting Twitter (2010)

41. XSS attacks are widespread

42. Generic solution for injection-based vulnerabilities ✓ Always escape tainted data

    i.e. data that comes from 
 (or derived from) user inputs

43. Conclusion Server Side Client Side Web Server Database Web Browser

    You have absolutely no control on the client

44. References • Mozilla Secure Coding Guideline
 https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Ruby on

    Rails Security Page
 http://guides.rubyonrails.org/security.html • Django Security Page
 https://docs.djangoproject.com/en/dev/topics/security/ • PHP Security Pages
 http://php.net/manual/en/security.php
 http://phpsec.org/projects/guide/