CSCD27 Web Security

Transcript

1. Web Security Thierry Sans

2. 1991 Sir Tim Berners-Lee

3. 2014 Collaboration Customer Resources Managemen Accounting and Billing Content Management

   E-Learning E-Health Publishing Web Portals Social Networks

4. Web security is a major concern

5. None
6. None
7. None
8. None
9. None

10. The Big Picture

11. The web architecture Server Side Client Side Web Server Database

    Web Browser

12. Securing the web architecture means securing ... • The network

    • The DNS (Domain Name System) • The web server operating system • The web server application (Apache for instance) • The database application (Oracle for instance) • The web application Our focus here!

13. What is a web application? program running 
 on the

    browser + program running 
 on the server

14. The State of Web Security

15. How big is the threat? Statistics based on data collected

    by the Whitehat security tool that monitors15,000 websites source “WhiteHat Website Security Statistics report 2013” from WhiteHat Security

16. Overall Vulnerability Population source “WhiteHat Website Security Statistics report 2013”

    from WhiteHat Security What are the attacks?

17. Average Number of Vulnerabilities (based on 7000 websites) source “WhiteHat

    Website Security Statistics report 2012” from WhiteHat Security Who is vulnerable?

18. Anatomy of a web application

19. The HTTP protocol Network protocol for requesting/receiving data on the

    Web • Standard TCP protocol on port 80 (by default) • URI/URL specifies what resource is being accessed • Different request methods

20. Let’s look at what a web server does > telnet

    whitehat.local 80 GET / telnet to a web server enter HTTP requests

21. Anatomy of a URL http://whitehat.local/index.php?filter=hello protocol server query string path

    resource get parameters

22. Authentication and Authorization ✓ Authentication • Who are the authorized

    users?
 ✓ Authorization • Who can access what and how?

23. The simple recipe for user authentication 1. Ask the user

    for a login and password and send it to the server (HTTP/POST request) 2. Verify the login/password based on information stored on the server (usually in the database) 3. Start a session once the user has been authenticated 4. Grant access to resources according to the session

24. The concept of session There is a session id (aka

    token) 
 between the browser and the web application This session id should be unique and unforgeable 
 (usually a long random number or a hash) ➡ Stored in the cookie The session id is bind to key/value pairs data ➡ Stored on the server

25. The big picture Web Server Web Browser HTTP request HTTP

    response HTTP request HTTP response Cookie : key/value pairs stored in the requests The user can create, modify, delete the session ID in the cookie Session : key/value pairs stored on the server But cannot access the key/value pairs stored on the server

26. Hacking Authentication

27. How to steal user’s credentials • Brute force the password

    • Brute force the session ID • Steal the user’s password • Steal the user’s session ID

28. Where to start? password = 123456 password = 123456 password

    = 123456

29. Do you trust the network? interesting! id=scACRSm... <html><... ๏ An

    attacker can eavesdrop messages sent back and forth

30. Do you really trust the network? I am id=scACRSm... <html><...

    ๏ An attacker can tamper with messages sent back and forth

31. Confidentiality and Integrity Confidentiality: how do exchange information secretly? ✓

    Encryption Integrity: How do we exchange information reliably? ✓ Digital Signature

32. Generic solution - HTTPS ➡ SSL provides • end-to-end secure

    channel (confidentially) • authentication handshake (integrity) ✓ HTTPS = HTTP + SSL


33. When to use HTTPS? We need to protect • Login

    and password • Session ID ✓ HTTPS must be used during the entire session

34. Limitation of HTTPS password = 123456 password = 123456 E#%FY7*5EZ$#G

35. Stealing passwords from the client • Social engineering - Phishing

    • Keyloggers (keystroke logging) • Data mining (emails, logs) • Hack the client’s code

36. Stealing passwords from the server • Hack the server •

    Hack the server’s side code

37. Hacking the Client’s Side Code

38. Client side’s attacks Incomplete Mediation ➡ hijacking the interactions between

    the client and the server Content Spoofing ➡ inject arbitrary HTML content into a webpage CSRF ➡ inject arbitrary urls into a webpage XSS ➡ inject arbitrary Javascript code into a webpage

39. Incomplete Mediation
 The shopping cart attack order=(#2956,10,9,90) Server Trusted Domain

    Client Trusted Domain * Notice that Amazon is not vulnerable to this attack * Thank you for your order! The total is calculated by a script on the client The order is generated based on the request 10

40. comment = “<a href=”myad.com”>Fun stuff ... * Notice that Youtube

    is not vulnerable to this attack GET /?videoid=527 <html ... GET /?videoid=527 <html ... Content Spoofing
 injecting arbitrary HTML content into a webpage The page contains the attacker’s code.

41. GET View/?profileid=53 GET Delete/?profileid=53 ??? ...... GET setProfile/?url=Delete/?profileid=53 GET View/?profileid=86

    <img src=”Delete/?profileid=53 GET Delete/?profileid=53 Hey Alice, check my profile id url name 53 www.alice.com/ profilepic Alice 86 www.badwebsite.com/ Delete/?imageid=53 Charlie www.badwebsite.com <img src=”www.alice.com/profilepic Done! profileid=86 GET profilepic www.alice.com CSRF attack
 injecting arbitrary urls into a webpage

42. comment = “<script> ... * Notice that Youtube is not

    vulnerable to this attack login=Alice&password=123456 GET /?videoid=527 <html ... GET /?videoid=527 <html ... The script contained in the comments modifies the page to look like the login page! XSS attack
 injecting arbitrary javascript into a webpage

43. Scope of XSS attacks ๏ Inject illegitimate content in the

    page
 (same as content spoofing) ๏ Perform illegitimate HTTP requests through Ajax 
 (same as a CSRF attack) ๏ Steal Session ID from the cookie ๏ Steal user’s login/password by modifying the page to forge a perfect scam

44. It gets worst - XSS Worms Spread on social networks

    • Samy targeting MySpace (2005) • JTV.worm targeting Justin.tv (2008) • Twitter worm targeting Twitter (2010)

45. Hacking the Server’s Side Code

46. Server’s side attacks SQL injection ➡ inject arbitrary SQL code

    executed on the server’s database File inclusion ➡ inject arbitrary code executed on the server

47. SQL Injection Attack inject arbitrary SQL code executed on the

    server’s database Access Deny! name=Alice&pwd=123456 checkPassword.php loginPage.html 123456’ OR ‘1’=‘1 Access Granted! <?php $uid = SQLQuery("SELECT uid FROM LoginTable WHERE login=" . $_POST['name'] . "AND password =" . $POST['pwd ']); if ($uid) echo "Access Granted"; else echo "Access Denied"; ?>

48. Scope of SQL injection attacks ๏ retrieves, adds, modifies, deletes

    arbitrary information ๏ bypasses authentication ๏ installs a reverse shell

49. File Inclusion Attack
 inject arbitrary code executed on the server

50. Web Penetration Testing

51. Web application security tools • Proxy mapper • Vulnerability scanner

    • Replay HTTP requests • (Exploit tool) Nikto Burp Suite W3af Acunetix AppScan Vega Commercial Open Source … among others

52. Conclusion Server Side Client Side Web Server Database Web Browser

    You have absolutely no control on the client

53. References • Mozilla Secure Coding Guideline
 https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Ruby on

    Rails Security Page
 http://guides.rubyonrails.org/security.html • Django Security Page
 https://docs.djangoproject.com/en/dev/topics/security/ • PHP Security Pages
 http://php.net/manual/en/security.php
 http://phpsec.org/projects/guide/