04/15/10
1
Web Security
Cyber Security Lab
Spring '10
04/15/10
2
Outline
- Web application weaknesses
- SQL Injection Attacks
- (Slides from Lars Olson)
- http://www.cs.uiuc.edu/class/fa07/cs461/slides/DBSecurity.ppt
04/15/10
3
The Web as a Ripe Target
- Attack targets
- Client browser/machine
- Install adware
- Email address book
- Bank information displayed
in browser
- Web server
- Infect pages to be served
to others, e.g. Knoppix
- Backend server
- Grab valuable customer data
04/15/10
4
Attack Tools
- Used to be HTML, CGI and Java
- Now Javascript and AJAX
- Active content which
may not be apparent
- Script access to current page
(DOM)
- Ability to make additional
HTTP requests
- SQL injections to attack the
backend
04/15/10
5
Cross Site Scripting (XSS)
- Goal – Inject malicious
code into web pages viewed by others.
- Cross site a bit of a misnomer.
- Term applies to general injection
of malicious script
- Three types
- Wikipedia reference
- http://en.wikipedia.org/wiki/Cross_site_scripting
04/15/10
6
Type 2 XSS
- Type 2 – Stored or persistent
- User entered data is stored
- Later used to create dynamic
pages
- Very powerful attack
- Examples
- Sites that allow HTML formatted
user input, e.g. Blog comments, wiki entries.
04/15/10
7
Second Order XSS
- Combine type 2 attack with
social engineering
- Sign up for an account
- Enter exploit script in address
field
- Call help desk
- Display your record
- Launch from the inside
04/15/10
8
Type 1 XSS
- Type 1 – Non-persistent
or reflected
- User enters data. Server
uses data to dynamically create page, e.g. Search engine
- Generally attacking self,
but could be tool for social engineering.
- E.g., enter the following
into a form that then shows the original query in the response.
- <script>confirm("Do
you hate purple dinosaurs?");</script>
04/15/10
9
Type 0 XSS
- Type 0 -DOM-based or Local
- Very similar to Type 1 except
the actual script is passed argument and parsed on client side only
- Server processing cannot fix
the problem
- Again self attack. Likely
invoked through phishing link, email HTML rendering, or hidden link
in main page.
04/15/10
10
Type 0 XSS
- Consider
- <HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>
<BR>
Welcome to our system…</HTML>
- Invoke as
- http://vulsystem.com/welcome.html?name=Bob
- http://vulsystem.com/welcome.html?name=<script>alert(document.cookie)</script>
04/15/10
11
Input Cleansing
- Ensure that the user is providing
the type of information you are expecting.
- No HTML tags in blog comments
- Perform escaping of all special
characters
- Mozilla and “get” arguments
- Could defeat by alternative
encodings
04/15/10
12
Example MySpace Exploit
- Samy Worm – October '05
- Person views infected myspace
page
- Executes javascript exploit
- Adds Samy to viewer's hero
list
- Adds infection to viewer's
myspace page
- http://namb.la/popular/tech.html - Technical explanation apparently from Samy
- Many cases of tediously finding
alternative ways of expressing javascript components
04/15/10
13
Newer Exploits
- Quicktime worm – December
'06
- Blank movie provides hook
to execute malicious script
- Script redirects to phishing
page that looks like myspace login page
- http://www.securityfocus.com/brief/375
Koobface virus on MySpace and Facebook
See link to movie. Movie requires
flash update (really virus)
04/15/10
14
Multi-Encoding Techniques
- Trick system into incorrectly
processing “special characters”
- US-ASCII
- Unicode encodings - UTF-8
or UTF-16
- ISO 8859-n
- Different prefixes for different
languages
- Multiple ways of encoding
the same character
- Multiple ways of encoding
and IP address
- 192.168.1.1 or C0.A8.1.1
or 3232235777
04/15/10
15
Cleansing Options
- Improve input cleansing in
code
- Web firewall
- Web proxy
- A couple packages
04/15/10
16
Web security packages
- Pen test tools and proxies
- Web Scarab
- http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
- BURP
- http://www.portswigger.net/suite/
- Web application firewall (WAF)
- Imperva WAF - http://www.imperva.com/waf/
- WAF Evaluation Criteria http://www.webappsec.org/projects/wafec/
04/15/10
17
Play with Flawed Web Sites
- Examine missions to discover
and exploit each web sites flaw
- http://www.hackthissite.org/missions/
04/15/10
18
AJAX
- Allows JavaScript to request
additional data
- Dynamically update part of
page
- XmlHttpRequest (XHR) is the
key class
- http://www.w3.org/TR/XMLHttpRequest/
- Generally used to pull new
information or send information
04/15/10
19
Same origin policy
- Script can only make requests
to the domain of its original source
- Script can only access document
it fetched
- Bound what sneaky scripts
can access
- Could avert
- Signed scripts
- ActiveX/Java proxies
- Trusted security zones
04/15/10
20
Mashups
- Combine data from two sources
in one new groovy page
- E.g., Google map data plus
address information from corporate directory
- Create personal desktop by
combining scripts from multiple sources
- What if you include my “magic
8” service in your desktop?
04/15/10
21
Mashup restrictions
- In general cross domain communication
forbidden by same origin policy
- Ad Hoc workarounds
- Proxy, iframes, dynamic script
creation
- New mashup explicit standards
being developed
04/15/10
22
Data Harvesting
- XML or JSON data offered
via HTTP
- Intended as target for AJAX
apps
- Could be accessed directly
- Fetching entire data set
may be undesirable
- Load on server
- Possibility of competitor
leveraging your data collection work
- Introduce throttling or metering
mechanisms
04/15/10
23
Web Services
- Standards for enabling machine
to machine communication over the web.
- Web Service Standards - WS-*
- Many thoroughly defined standards
- Generally encoded through
XML and SOAP
- Perceived as very heavy weight
- Representational State Transfer
– RESTful web services
- Just use simple set of HTTP
operations GET, PUT, and DELETE
04/15/10
24
SQL Injections
04/15/10
25
Disclaimer!!
- Do not use your powers for
evil.
- The purpose of showing these
attacks is to teach you how to prevent them.
- Established e-commerce sites
are already hardened to this type of attack.
- You might cause irreparable
harm to a small “mom-and-pop” business.
- Even if you don’t, breaking
into someone else’s database is illegal and unethical.
04/15/10
26
Characterization of Attack
- Not a weakness of SQL
- ...at least in general
- SQL Server may run with administrator
privileges, and has commands for invoking shell commands
- Not a weakness of database,
PHP/scripting languages, or Apache
- Building executable code
using data from an untrusted user
- Perl taint mode was created
to solve a similar problem
04/15/10
27
Simple Attack Example
select count(*)
from login where
username = '$username' and
password = '$password';
- Setting the password to “' or 'a' = 'a”:
select count(*)
from login where
username = 'alice' and
password = '' or 'a' = 'a';
- In fact, username doesn’t
even have to match anyone in the database
04/15/10
28
Detecting Vulnerability
- Try single apostrophe
- If quotes aren’t filtered,
this should yield an error message
- Error message may be useful
to attackers
- May reveal database vendor
(important later on)
- Try a comment character (double-hyphen
in some databases, # symbol in others)
- Only works for numeric fields,
if quotes are filtered
- Not as commonly filtered
04/15/10
29
Inferring Database Layout
(1)
' and email is
null--
' and email_addr is
null--
- Use error messages (or lack
of)
04/15/10
30
Inferring Database Layout
(2)
' and users.email_addr
is null--
' and login.email_addr
is null--
- Can be done with an automated
dictionary attack
- Might discover more than one
table in the query
- Guess at other table names
' and 1=(select count(*) from
test)--
04/15/10
31
Discovering Table Data
- Depends on query structure,
output format
- May be directed at a particular
user or account (e.g. root)
' or username like '%admin%'--
- May include brute-force password
attacks
04/15/10
32
Query Stacking (1)
- Use semicolon as command
separator
- Useful output is limited by
application
- My main example doesn’t
output anything from the database.
- Try the queries on a login
page that displays a query result.
1;
select * from test--
- Doesn’t display the entire
table? Try modifying the query:
1;
select b from test--
1;
select a from test where a not in (1)--
04/15/10
33
Query Stacking (2)
- Displaying database structure
1;
select relname from pg_class--
- Output displays only one result?
Use repeated application
1;
select relname from pg_class where relname not
in ('views')--
04/15/10
34
Query Stacking (3)
- Displaying database structure
(cont)
- Table structure: vendor-specific,
use repeated application if needed
1;
select attname from pg_class, pg_attribute where pg_class.relname
= 'login' and pg_class.oid = pg_attribute.attrelid--
04/15/10
35
Query Stacking (4)
'; insert into login
values(100, 'attacker', 'attackerpw', 2222, 'attacker@example.com')--
'; update login set
password='newpw' where username like '%admin%'--
04/15/10
36
Second-Order SQL Injection
- Inserting text fields that
will pass initial validation, but could be used later on.
- e.g. Adding a new user
on a web form
- Username: alice'' or username=''admin
- Later, the user updates her
password. The application runs:
update users set
password='$password' where username='$username'
update users set
password='newpw' where username='alice' or username='admin'
04/15/10
37
How to Prevent Attacks
(1)
- Input Verification
- Use pattern matching
- May be tricky if we want to
allow arbitrary text
- Escape characters
- addslashes() function or other
input sanitizer
- PHP “Magic Quotes”
- Automatically corrects single-quote,
double-quote, backslash, null
- Enabled by default in PHP
5, removed in PHP 6
04/15/10
38
How to Prevent Attacks
(2)
- MySQL doesn’t allow query
stacking
- Use stored procedures instead
of queries
- Limit database privileges
of application
- Run in non-admin user space
to prevent system calls (e.g. MS SQL Server)
- Hide error messages
04/15/10
39
How to Prevent Attacks
(3)
- Prepared Statements (Java,
Perl, PHP, ...)
- PHP/PostgreSQL: select count(*) from
login where username=$1 and password=$2
- Java: select
count(*) from login where username=? and password=?
- Partially builds parse tree,
fills in gaps after user input
- Also allows database optimization
- Please note: some parts
of a query cannot be parameterized in a prepared statement.
- Table name, column name, answer
size limit
- Arbitrary number of conditions
04/15/10
40
Query Syntax Analysis
- Injection attacks necessarily
change the parse tree of a query
Su Wasserman 06
04/15/10
41
Conclusions
- Rich target
- Most Internet activity is
web based
- Fast changing technology
- JavaScript, AJAX, web services
- People innovating tech by
using tools in unexpected ways
- “Web 2.0” will continue
to be interesting source of new attacks and exploits