Web Security: part 1 Vulnerability Stats: web is “winning” Majority of vulnerabilities now found in web software20100 Web (XSS) Buffer Overflow Source: MITRE CVE.
Download ReportTranscript Web Security: part 1 Vulnerability Stats: web is “winning” Majority of vulnerabilities now found in web software20100 Web (XSS) Buffer Overflow Source: MITRE CVE.
Web Security: part 1
1
Vulnerability Stats: web is “winning” Majority of vulnerabilities now found in web software
25 20 15 10 5 0 2001 2002 2003 Web (XSS) 2004 2005 Buffer Overflow 2006
Source: MITRE CVE trends
Web security: two sides
Web browser (this and next lecture) Can be attacked by any web site it visits Attacks result in: Malware installation (keyloggers, bot-nets) Document theft from corporate network Loss of private data Web application code: (next Thursday) Runs at web site, e.g. banks, e-merchants, blogs Written in PHP, ASP, JSP, Ruby, … Many potential bugs: XSS, XSRF, SQL injection Attacks lead to stolen CC#, defaced sites, mayhem
Web Threat Models
Web attacker
Control attacker.com
Can obtain SSL/TLS certificate for attacker.com ($0) User visits attacker.com
Network attacker
Passive: Wireless eavesdropper Active: Evil router, DNS poisoning
Malware attacker
Attacker escapes browser sandbox
Malware attacker
Browsers (like any software) contain exploitable bugs Often enable remote code execution by web sites Google study: [the ghost in the browser 2007] Found Trojans on 300,000 web pages (URLs) Found adware on 18,000 web pages (URLs) NOT OUR FOCUS THIS WEEK Today: even if browsers were bug-free, still lots of vulnerabilities on the web
Microsoft Security Bulletin MS06-013, April 2006
Malware distribution
Via vulnerable web servers:
Security User Interface
8
Address Bar
Where this page came from awglogin But not where the embedded content came from
Protocol
URLs
Global identifiers of network-retrievable documents
Example:
http://stanford.edu:81/class?name=cs155#homework Hostname Port Path Fragment Query Special characters are encoded as hex: %0A = newline %20 or + = space, %2B = + (special exception)
HTTP Request
Method File HTTP version Headers GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive Host: www.example.com
Blank line Data – none for GET
GET: no side effect. POST: possible side effect.
HTTP Response
HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 Some data... blah, blah, blah Data
Mixed Content: HTTP and HTTPS
Page loads over HTTPS, but contains content over HTTP IE: displays mixed-content dialog to user Flash files over HTTP are loaded with no warning (!) Note: Flash can script the embedding page Firefox: displays a red slash over lock icon (no dialog) Flash files over HTTP do not trigger the slash Safari: does not attempt to detect mixed content
Mixed Content: HTTP and HTTPS
silly dialogs
Mixed content and network attacks
banks: after login all content served over HTTPS Developer error: Somewhere on bank site write Active network attacker can now hijack any session Better way to include content: served over the same protocol as embedding page
Lock Icon 2.0
Extended validation (EV) certs • Prominent security indicator for EV certificates • note: EV site loading content from non-EV site does not trigger mixed content warning
Picture-in-picture attacks
Trained users are more likely to fall victim to this [JSTB’07]
Finally: the status Bar
Trivially spoofable PayPal
Same Origin Policy
19
Document Object Model (DOM)
Object-oriented interface used to read and write docs web page in HTML is structured data DOM provides representation of this hierarchy Examples Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] Methods: document.write(document.referrer) Also Browser Object Model (BOM) window, document, frames[], history, location, navigator (type and version of browser)
Browser Same Origin Policy (SOP)
Web sites from different domains cannot interact except in very limited ways
Applies to: Cookies: cookie from origin A not visible to origin B DOM: script from origin A cannot read or set properties for origin B For DOM access, two origins are the same iff ( domain-name, port, and protocol ) are equal Safari note: until 3.0 SOP was only (domain-name, port)
SOP Examples
Example HTML at www.site.com Disallowed access: alert( frames[0].contentDocument.body.innerHTML
alert( frames[0].src
) ) Allowed access: alert( images[0].height
) Navigating child frame is allowed (but reading frame[0].src is not): frames[0].location.href = “http://mysite.com/”
document.domain
Setting
document.domain
changes origin of page Can only be set to suffix of domain name checkout.shop.com
shop.com
login.shop.com
shop.com
same origin shop.com: to join “origin” shop.com must do: document.domain = document.domain
Origin is actually the tuple
Web Browser: the new OS
Origins are “similar” to processes One origin should not interfere with another Cooperation: often sites want to communicate Google AdSense:
Sending a Cross-Domain GET
Data must be URL encoded Browser sends: GET file.cgi?foo=1&bar=x
%20
y HTTP/1.1
Host: othersite.com
… Can’t send to some restricted ports, like 25 (SMTP) Denial of Service (DoS) using GET: a popular site can DoS another site [Puppetnets ’06]
Sending a Cross-Domain POST
submit post Hidden iframe can do this in background user visits a malicious page, browser submits form on behalf of user e.g. page re-programs user’s home router ( XSRF ) Can’t send to some restricted ports, like 25 (SMTP)Cookies: client state
32
Cookies
Used to store state on user’s machine GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: this session only expires = (when expires) ; secure = (only over SSL) Browser GET … Cookie: NAME = VALUE Server HTTP is stateless protocol; cookies add state
Cookie authentication
Browser POST login.cgi
Username & pwd Set-cookie:
auth=val
Web Server Validate user
auth=val
Auth server Store val GET restricted.html
Cookie:
auth=val
If YES, restricted.html
restricted.html
auth=val YES/NO Check val
Weak authenticators: security risk
Predictable cookie authenticator Verizon Wireless - counter user logs in, gets counter, can view sessions of other users Weak authenticator generation: [Fu et al. ’01] WSJ.com: cookie =
{user, MAC k (user) }
Weak MAC exposes
K
from few cookies.
Apache Tomcat: generateSessionID() MD5(PRNG) … but weak PRNG [GM’05].
Predictable SessionID’s
Cookie Security Policy
Uses: User authentication Personalization User tracking: e.g. Doubleclick (3 rd party cookies) Browser will store: At most 20 cookies/site, 3 KB / cookie Origin is the tuple
Can set cookies valid across a domain suffix
Secure Cookies
Browser GET … HTTP Header: Set-cookie: NAME=VALUE ; Secure=true Server • Provides confidentiality against network attacker • Browser will only send cookie back over HTTPS • … but no integrity • Can rewrite secure cookies over HTTP network attacker can rewrite secure cookies can log user into attacker’s account
httpOnly Cookies
Browser GET … HTTP Header: Set-cookie: NAME=VALUE ; httpOnly Server • Cookie sent over HTTP(s), but not accessible to scripts • cannot be read via document.cookie
• Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs.
Storing data on browser?
Unreliable: – User can change/clear values – Silly example: Shopping cart software –
Set-cookie:shopping-cart-total = 150
User edits cookie file (cookie poisoning):
Cookie: shopping-cart-total = 15
($) ($) Similar to problem with hidden fields
39
Not so silly … (as of 2/2000)
D3.COM Pty Ltd: ShopFactory 5.8
@Retail Corporation: @Retail Adgrafix: Check It Out Baron Consulting Group: WebSite Tool ComCity Corporation: SalesCart Crested Butte Software: EasyCart Dansie.net: Dansie Shopping Cart Intelligent Vending Systems: Intellivend Make-a-Store: Make-a-Store OrderPage McMurtrey/Whitaker & Associates: Cart32 3.0 [email protected]: CartMan 1.04 Rich Media Technologies: JustAddCommerce 5.0 SmartCart: SmartCart Web Express: Shoptron 1.2 Source: http://xforce.iss.net/xforce/xfdb/4621
40
Solution
When storing state on browser, MAC data using server secret key – .NET 2.0: System.Web.Configuration.MachineKey
Secret web server key intended for cookie protection – HttpCookie cookie = new HttpCookie(name, val); HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie); – HttpSecureCookie.Decode (cookie);
41
Frames and frame busting
42
Frames
Embed HTML documents in other documents
Frame Busting
Goal: prevent web page from loading in a frame example: opening login page in a frame will display correct passmark image Frame busting:
if (top != self)
top.location.href = location.href
Correct Frame Busting
Problem: Javascript OnUnload event
Correct frame busting: if (top != self) top.location.href = location.hrefelse { … code of page here …}
THE END
46