LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious - PowerPoint PPT Presentation

LECTURE 23: MORE SECURITY CSE 442 – Software Engineering

Serious Hacking Attempts

Cross Site Request Forgery

Cross-Site Requests ¨ Same-site request if local page makes HTTP request ¨ Request sent to other site called cross-site request ¨ Many different reasons for including HTTP request ¤ Embed images ¤ Load frames ¤ Show ads ¤ Send link ¨ Sends cookies on same-site AND cross-site requests

Cross Site Request Example Browser

Cross Site Request Example Page from Facebook Browser

Cross Site Request Example Same-Site Request Page from Facebook Browser

Cross Site Request Example Same-Site Request Page from Page from Google Facebook Browser

Cross Site Request Example Same-Site Same-Site Request Request Page from Page from Google Facebook Browser

Cross Site Request Example Same-Site Same-Site Cross-Site Request Request Requests Page from Page from Page with Ads & Google Facebook Like button Browser

Cross-Site Knowledge ¨ Browsers know if request cross-site request or not ¤ But type of request NOT shared with server ¨ When cookies store state problems can arise ¤ To check for authorization, server retrieves current state ¤ But cookies sent on all requests, even if it is cross-site ¨ Creates opportunity for mischief by forging request ¤ Cross-Site Request Forgery (CSRF) name for this attack

CSRF Example Page on NotEvilHacker.com <img src= “facebook.com? action=post& content=HertzStuff”> Browser

CSRF Bank Example ¨ To identify user, sets session cookie when logged in ¤ Server always checks cookie, so hack not possible ¨ Once complete, victim leaves WITHOUT logging out ¤ HTTP stateless, so server assumes authorization valid ¨ Each time victim loads site, attacker steals $500 www.vic.com/transfer.php?to=250&amt=500 ¤ Site secured on server-side & attacker lacks access ¤ But victim still has browser cookie, so request looks valid ¨ Just need request, no clicks required ¤ Will connect if link is src for img , iframe , or script

Get and Post ¨ GET requests simpler, but forging POST possible ¤ Usually needs button click, but that can be done in JS <body onload="document.forms[0].submit();"> <form action="http://vic.com/transfer.do" method="POST"> <input type="hidden" name="to" value="250"/> <input type="hidden" name="amt" value="500"/> <input type="submit" value="Dank Memes"/> </form>

Social engineering ¨ Must trick victim into loading page ¨ To do this, many techniques exist ¨ Browser not needed if email in HTML ¤ Aside: We often disable images in email ¨ Very low chance that scheme works ¤ Handle this by sending to many people ¤ Commonly used website best for this ¤ If targets known, lesser used site okay

CSRF Countermeasures ¨ referrer (optional) field in HTTP header states sender ¤ Field (has to) expose history, so leak’s info about user ¤ To protect privacy, some browsers never include field ¨ HTTP an open protocol; could write own program ¤ Spoof referrer to match needs rather than reality ¨ Could add field specifying if request cross-site or not

CSRF Countermeasures ¨ referrer (optional) field in HTTP header states sender ¤ Field (has to) expose history, so leak’s info about user ¤ To protect privacy, some browsers never include field ¨ HTTP an open protocol; could write own program ¤ Spoof referrer to match needs rather than reality ¨ Could add field specifying if request cross-site or not

CSRF Countermeasures ¨ Random secret value (" Secret Token ") on each page ¨ Include secret value when page information sent ¤ Other pages lack access, due to same origin policy: Scripts can only access DOM on pages with same origin ¨ Could also use cookie to store secret value ¤ When request submitted, read & add cookie to request ¤ Same origin policy prevents attacking page from cookie

Cross Site Scripting

Cross Site Scripting ( XSS ) ¨ Attacks by providing code rather than data ¤ Type of “injection” attack that is very common on web ¤ Works when browser interprets as scripting language ¨ Any input channel potential attack vector for XSS ¤ Attack can occur immediately if real-time inputs used ¤ With persistent storage, delayed until data read & used

Cross Site Scripting ( XSS )

Cross Site Scripting ( XSS )

Who Cares? ¨ Can program user actions by embedding Javascript ¤ Browser would act as if actions performed by user ¤ Computers have IQ of 0 ; do not know what user wanted ¨ Using XSS malicious actor can: ¤ Steal cookies ¤ Deface websites (fake news; embarrassing images) ¤ Create wiretap of keystrokes ¤ Steal personal information ¤ Run exploits (SAMY worm)

Defense Against XSS Filtering Encoding ¨ For HTML, must reject: ¨ Replace with encoding & have HTML render: ¤ <script> ¤ <iframe> ¤ < becomes &lt; ¤ <div style= ¤ > becomes &gt; “background:url( ‘javascript:alert(1)’) ¤ & becomes &amp; ”> ¤ ␠ becomes &nbsp; ¤ <IMG src= j&#X41vascript:alert(1 ¤ ¶ becomes <br/> )> ¤ eval( ‘xmlhttp.onread’+ Many others also possible ‘ydstatechang’+ ‘e=callback’);

Defense Against XSS Filtering Encoding ¨ For HTML, must reject: ¨ Replace with encoding & have HTML render: ¤ <script> ¤ <iframe> ¤ < becomes &lt; ¤ <div style= ¤ > becomes &gt; “background:url( ‘javascript:alert(1)’) ¤ & becomes &amp; ”> ¤ ␠ becomes &nbsp; ¤ <IMG src= j&#X41vascript:alert(1 ¤ ¶ becomes <br/> )> ¤ eval( ‘xmlhttp.onread’+ Many others also possible ‘ydstatechang’+ ‘e=callback’);

Filtering & Encoding Support ¨ Many libraries created to help developers with work ¤ JSoup exists for Java (jsoup.org/) ¤ AntiXSS usable in .Net (www.nuget.org/packages/ AntiXSS) ¤ OWASP Enterprise Security has multi-lingual support (www.owasp.org/index.php/ Category:OWASP_Enterprise_Security_API#tab=Home) ¨ Can also find help in languages providing functions ¤ htmlspecialchars() defined for PHP ¤ ValidateRequest() method defined by ASP.net

SQL Injection Attacks

SQL Injection Attack ¨ Like XSS , attacks by providing code rather than data ¤ Much more dangerous because it attacks data servers ¤ Damage greater, too; all of server's data compromised

SQL Injection Attack Key ¨ Attack takes advantage of most web apps' structure ¤ Browser attacks by crafting input sent to app server ¤ But this attack is not on app server, but by app server ¤ Database left defenseless since it trusts app server Web Application Browser Server Database

Sample Database Table Table Name : USERS_TABLE GEN UID NAME DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF ¨ Basic operations: select , insert , update , & delete ¤ Name is ”cooler” CRUD for create, read, update, delete

Insert Statement Table Name : USERS_TABLE GEN UID NAME DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF INSERT INTO USERS_TABLE VALUES (‘5’,‘Edgar’, ‘M’, ‘30’, ‘ed@buffalo.edu’, ‘45adr56y’)

Update Statement Table Name : USERS_TABLE GEN UID NAME DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF UPDATE USERS_TABLE SET EMAIL=‘a@gmail.com’ WHERE NAME=‘Alice’ UPDATE USERS_TABLE SET AGE=43

Delete Statement Table Name : USERS_TABLE GEN UID NAME DER AGE EMAIL PASSWD 1 Alice F 22 alice@buffalo.edu az34Fn89 2 Bob M 30 bob@buffalo.edu Ff4323sa9 3 Carol F 26 carol@buffalo.edu Ra234d02 4 Douglas M 44 doug@buffalo.edu 22as95asdF DELETE FROM USERS_TABLE WHERE NAME=‘Alice’ DELETE FROM USERS_TABLE WHERE Age < 25 DELETE FROM USERS_TABLE

SQL COMMENTS ¨ SQL supports single and multiline comments ¤ Start with -- for single line comments ¤ Add text between /* */ for multiline comment SELECT * FROM Customers -- WHERE City='Berlin'; /*Select all the columns of all the recordsin the Customers table:*/ SELECT * FROM Customers; SELECT CustomerName /*, City, Country*/ FROM Customers;

Web App Flow of Data Web Application Browser Database Server <?php $sql = “SELECT id, name, salary SELECT id, name, salary FROM credential FROM credential WHERE eid= ‘$eid’ WHERE eid= ‘9999’ AND password=‘$passwd’”; AND passwd= ‘secret’; $result = $conn->query($sql); ?>

Hack Attack! What input(s) will retrieve more than we should? <?php $sql = “SELECT id, name, salary FROM credential WHERE eid= ‘$eid’ AND password=‘$passwd’”; $result = $conn->query($sql); ?>

SQL Injection Attack (1) ¨ If $eid is: x’ OR 1=1 –- ¨ Query would be sent to database and executed as: SELECT * FROM credential WHERE eid = ‘x’ OR 1=1 -- ’