LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious - - PowerPoint PPT Presentation

LECTURE 23: MORE SECURITY

CSE 442 – Software Engineering

Serious Hacking Attempts

Cross Site Request Forgery

Cross-Site Requests

¨ Same-site request if local page makes HTTP request ¨ Request sent to other site called cross-site request ¨ Many different reasons for including HTTP request

¤ Embed images ¤ Load frames ¤ Show ads ¤ Send link

¨ Sends cookies on same-site AND cross-site requests

Browser

Cross Site Request Example

Page from Facebook Browser

Cross Site Request Example

Page from Facebook Browser Same-Site Request

Cross Site Request Example

Page from Google Page from Facebook Browser

Cross Site Request Example

Same-Site Request

Page from Google Page from Facebook Browser Same-Site Request Same-Site Request

Cross Site Request Example

Page from Google Page from Facebook Browser Same-Site Request Page with Ads & Like button Cross-Site Requests Same-Site Request

Cross Site Request Example

Cross-Site Knowledge

¨ Browsers know if request cross-site request or not

¤ But type of request NOT shared with server

¨ When cookies store state problems can arise

¤ To check for authorization, server retrieves current state ¤ But cookies sent on all requests, even if it is cross-site

¨ Creates opportunity for mischief by forging request

¤ Cross-Site Request Forgery (CSRF) name for this attack

Page on NotEvilHacker.com <img src= “facebook.com? action=post& content=HertzStuff”> Browser

CSRF Example

CSRF Bank Example

¨ To identify user, sets session cookie when logged in

¤ Server always checks cookie, so hack not possible

¨ Once complete, victim leaves WITHOUT logging out

¤ HTTP stateless, so server assumes authorization valid

¨ Each time victim loads site, attacker steals $500

www.vic.com/transfer.php?to=250&amt=500

¤ Site secured on server-side & attacker lacks access ¤ But victim still has browser cookie, so request looks valid

¨ Just need request, no clicks required

¤ Will connect if link is src for img, iframe, or script

Get and Post

¨ GET requests simpler, but forging POST possible

¤ Usually needs button click, but that can be done in JS

<body onload="document.forms[0].submit();"> <form action="http://vic.com/transfer.do" method="POST"> <input type="hidden" name="to" value="250"/> <input type="hidden" name="amt" value="500"/> <input type="submit" value="Dank Memes"/> </form>

Social engineering

¨ Must trick victim into loading page ¨ To do this, many techniques exist ¨ Browser not needed if email in HTML

¤ Aside: We often disable images in email

¨ Very low chance that scheme works

¤ Handle this by sending to many people ¤ Commonly used website best for this ¤ If targets known, lesser used site okay

CSRF Countermeasures

¨ referrer (optional) field in HTTP header states sender

¤ Field (has to) expose history, so leak’s info about user ¤ To protect privacy, some browsers never include field

¨ HTTP an open protocol; could write own program

¤ Spoof referrer to match needs rather than reality

¨ Could add field specifying if request cross-site or not

CSRF Countermeasures

¨ referrer (optional) field in HTTP header states sender

¤ Field (has to) expose history, so leak’s info about user ¤ To protect privacy, some browsers never include field

¨ HTTP an open protocol; could write own program

¤ Spoof referrer to match needs rather than reality

¨ Could add field specifying if request cross-site or not

CSRF Countermeasures

¨ Random secret value ("Secret Token") on each page ¨ Include secret value when page information sent

¤ Other pages lack access, due to same origin policy:

Scripts can only access DOM on pages with same origin

¨ Could also use cookie to store secret value

¤ When request submitted, read & add cookie to request ¤ Same origin policy prevents attacking page from cookie

Cross Site Scripting

Cross Site Scripting (XSS)

¨ Attacks by providing code rather than data

¤ Type of “injection” attack that is very common on web ¤ Works when browser interprets as scripting language

¨ Any input channel potential attack vector for XSS

¤ Attack can occur immediately if real-time inputs used ¤ With persistent storage, delayed until data read & used

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)

Who Cares?

¨ Can program user actions by embedding Javascript

¤ Browser would act as if actions performed by user ¤ Computers have IQ of 0; do not know what user wanted

¨ Using XSS malicious actor can:

¤ Steal cookies ¤ Deface websites (fake news; embarrassing images) ¤ Create wiretap of keystrokes ¤ Steal personal information ¤ Run exploits (SAMY worm)

Defense Against XSS

¨ Replace with encoding

& have HTML render:

¤ < becomes &lt; ¤ > becomes &gt; ¤ & becomes &amp; ¤ ␠ becomes &nbsp; ¤ ¶ becomes <br/>

Many others also possible

Filtering Encoding

¨ For HTML, must reject:

¤ <script> ¤ <iframe>

¤ <div style=

“background:url( ‘javascript:alert(1)’) ”>

¤ <IMG src=

j&#X41vascript:alert(1 )>

¤ eval(

‘xmlhttp.onread’+ ‘ydstatechang’+ ‘e=callback’);

Defense Against XSS

¨ Replace with encoding

& have HTML render:

¤ < becomes &lt; ¤ > becomes &gt; ¤ & becomes &amp; ¤ ␠ becomes &nbsp; ¤ ¶ becomes <br/>

Many others also possible

Filtering Encoding

¨ For HTML, must reject:

¤ <script> ¤ <iframe>

¤ <div style=

“background:url( ‘javascript:alert(1)’) ”>

¤ <IMG src=

j&#X41vascript:alert(1 )>

¤ eval(

‘xmlhttp.onread’+ ‘ydstatechang’+ ‘e=callback’);

Filtering & Encoding Support

¨ Many libraries created to help developers with work

¤ JSoup exists for Java (jsoup.org/) ¤ AntiXSS usable in .Net (www.nuget.org/packages/

AntiXSS)

¤ OWASP Enterprise Security has multi-lingual support

(www.owasp.org/index.php/ Category:OWASP_Enterprise_Security_API#tab=Home)

¨ Can also find help in languages providing functions

¤ htmlspecialchars() defined for PHP ¤ ValidateRequest() method defined by ASP.net

SQL Injection Attacks

SQL Injection Attack

¨ Like XSS, attacks by providing code rather than data

¤ Much more dangerous because it attacks data servers ¤ Damage greater, too; all of server's data compromised

SQL Injection Attack Key

¨ Attack takes advantage of most web apps' structure

¤ Browser attacks by crafting input sent to app server ¤ But this attack is not on app server, but by app server ¤ Database left defenseless since it trusts app server

Browser Web Application Server Database

Sample Database Table

UID NAME GEN DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF

Table Name : USERS_TABLE

¨ Basic operations: select, insert, update, & delete

¤ Name is ”cooler” CRUD for create, read, update, delete

Insert Statement

UID NAME GEN DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF

Table Name : USERS_TABLE INSERT INTO USERS_TABLE VALUES (‘5’,‘Edgar’, ‘M’, ‘30’, ‘ed@buffalo.edu’, ‘45adr56y’)

Update Statement

UID NAME GEN DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF

Table Name : USERS_TABLE UPDATE USERS_TABLE SET EMAIL=‘a@gmail.com’ WHERE NAME=‘Alice’ UPDATE USERS_TABLE SET AGE=43

Delete Statement

UID NAME GEN DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF

Table Name : USERS_TABLE DELETE FROM USERS_TABLE WHERE NAME=‘Alice’ DELETE FROM USERS_TABLE WHERE Age < 25 DELETE FROM USERS_TABLE

SQL COMMENTS

¨ SQL supports single and multiline comments

¤ Start with -- for single line comments ¤ Add text between /* */ for multiline comment

SELECT * FROM Customers -- WHERE City='Berlin'; /*Select all the columns of all the recordsin the Customers table:*/ SELECT * FROM Customers; SELECT CustomerName /*, City, Country*/ FROM Customers;

Web App Flow of Data

Browser Web Application Server Database

<?php $sql = “SELECT id, name, salary FROM credential WHERE eid= ‘$eid’ AND password=‘$passwd’”; $result = $conn->query($sql); ?> SELECT id, name, salary FROM credential WHERE eid= ‘9999’ AND passwd= ‘secret’;

Hack Attack!

What input(s) will retrieve more than we should?

<?php $sql = “SELECT id, name, salary FROM credential WHERE eid= ‘$eid’ AND password=‘$passwd’”; $result = $conn->query($sql); ?>

SQL Injection Attack (1)

¨ If $eid is:

x’ OR 1=1 –-

¨ Query would be sent to database and executed as:

SELECT * FROM credential WHERE eid = ‘x’ OR 1=1 -- ’

Multiple SQL statements

¨ Also use semicolon (;) to create 1+ statements ¨ Makes possible worse hacks than just retrieval

SELECT * FROM credential WHERE eid = ‘x’; DELETE FROM credential

• - ’

¨ Countermeasures may exist if script triggers action

More Hack Attack!

What input(s) will give someone BIG raise?

<?php $sql = “UPDATE credential SET NickName = ‘$nname’, PhoneNumber=‘$phone’ WHERE eid= ‘$eid’; $result = $conn->query($sql); ?>

SQL Injection Attack (2)

¨ When $nname is:

A’, Salary=1000000, Email=‘

¨ Query becomes:

UPDATE credential SET NickName = ‘A’, Salary=1000000, Email=‘ ’, PhoneNumber=‘ ’ WHERE eid = ‘20000’

¨ Comments not always needed for SQL injection

Input Validation to Block

¨ Could validate input (check for special characters) &

¤ Input with special characters rejected ¤ Remove special characters from the input ¤ Play it safe and escape special characters

¨ But requires knowing ALL special characters

¤ Must be updated as new characters created

¨ Better approach is using library for this

¤ In PHP, have mysql_real_escape_string() ¤ Still creates game – what if MySQL updated first?

Underlying Cause

¨ Problem comes from mixing data & code in program ¨ User input (data) provided to parser for its work ¨ Should be data, but added to string executed as code

¤ User injects code which is then executed as normal

¨ Best solution: always separate code & data

Don’t make it a game

Prepared Statements always better

than filters or sanitizing

SQL Injection Key Concept

PHP Prepared Statement

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

PHP Prepared Statement

Step 1: Send code that will be executed

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

PHP Prepared Statement

Step 2: Send data to fill in variables

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

PHP Prepared Statement

Step 3: Profit

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

Buffer Overflows

¨ Form used by majority of Internet attacks

¤ 50% of CERT advisories deal with buffer overflows ¤ Very quick & easy way to infect lots of machines

Buffer Overflows

¨ Morris worm overflowed fingerd

¤ Infected 10% of the existing Internet

¨ CodeRed used overflow in MS-IIS server

¤ Infected 300,000 machines in about 14 hours

¨ SQL Slammer hacked through MS-SQL server

¤ Needed just 10 minutes to infect 75,000 machines

Major Buffer Overflows

¨ Buffer overflow attacks are easy to stop

¤ Java does not allow this exploit to work, in fact ¤ Very common in C code

What Can We Do?

¨ Memory set aside for quick access by program

¤ Usually found on program stack or in the heap ¤ Pre-defined size used to improve access speed ¤ But what happens if more data stuffed into it

What is a Buffer?

¨ Should check for space before storing data

¤ Just common sense to store only where permitted ¤ Buffers normally huge so they can hold all data ¤ But there’s cost: added checks slow program down

¨ Languages split in handling of array access

¤ Automatic array bounds checks done by Java, C# ¤ Not in many older languages like Pascal & C++

How to Handle Buffer

¨ When calling function, program creates frame

¤ Value of parameters stored in this frame ¤ Contains space for all of the local variables ¤ Address to return to when function completes

¨ Since automatic, system assumes values valid

¤ Programmer cannot adjust or control this data ¤ As soon as complete, blindly jumps to return address

Program Stack

High Address Parameters i à 456 (4 bytes) Return Address 0xFEEDFACE (4 bytes) Calling FP 0xA0029482 (4 bytes) Low Address Local Variables x à 34 (4 bytes) y à 34 (4 bytes) buffer (100 bytes)

void foo(int i) { int x; int y; char buffer[100]; // Code here… }

Stackframe Example

¨ When we overflow the buffer…

¤ Local variables overwritten initially by this extra data ¤ Then create brand new address for frame pointer ¤ Assign return address next to whatever is in input

Smashing The Stack

¨ When we overflow the buffer…

¤ Local variables overwritten initially by this extra data ¤ Then create brand new address for frame pointer ¤ Assign return address next to whatever is in input

¨ Oops.

¤ Important that return address should be accurate ¤ Random value used as result of our overflow ¤ Code that will be executed decided by whom?

Smashing The Stack

¨ System will normally crash as result of overrun

¤ More often than not, data will be random ¤ Rarely productive to jump to random address ¤ Woo-hoo! Our program is not unsafe, it just sucks.

Usually Just Crashes

¨ Must first wait for hacker to find bug

¤ So long as nobody uses program this is not a problem ¤ Once program used, count on shortest wait ever

Never ask “How could it be worse ?”

What is Left?

¨ Must first wait for hacker to find bug

¤ So long as nobody uses program this is not a problem ¤ Once program used, count on shortest wait ever

¨ Never ask “How could it be worse ?”

¤ Some languages have Strings as primitive type ¤ Many others use null terminated array of char ¤ Functions process array until null character found ¤ Creates an entirely new source of possible hacks

What is Left?

¨ Avoid functions using unlimited number of bytes

¤ Can always find & use limited memory versions

¨ Restrict to actual size to prevent overflow

¤ Requires you be able to know array’s actual size ¤ Update everywhere when changing code ¤ Using magic numbers makes very difficult

Possible Solutions

¨ Commercial libraries inject checks where it can

¤ As in modern languages, but less capable or useful ¤ Checks add time: program runs 2 -3% slower

¨ Legacy code too difficult to fix can use libraries

¤ Most bosses would be angry adding to new code

Other Solutions