Section 6: Session Management, Lab 2, & Clickjacking CSE 484 / - - PowerPoint PPT Presentation

Section 6:

Session Management, Lab 2, & Clickjacking

CSE 484 / CSE M 584

Administrivia

May 8

Homework 2 Due @ 11:59pm

May 15

Final Project Checkpoint 1 Due

May 22

Lab 2 Due @ 11:59pm

Web Session Management

Primitive Online Transaction

www.e_buy.com www.e_buy.com/ shopping.cfm? uid=269

View catalog

www.e_buy.com/ shopping.cfm? uid=269& item1=102030405 www.e_buy.com/ checkout.cfm? uid=269& item1=102030405

Check out Select item Store session information in URL; easily read on network 👏

Encoding State in URL

• Unstable, frequently changing

URLs

• Vulnerable to eavesdropping

and modification

• There is no guarantee that URL is

private

EN ENCOD ODING ST STATE IN UR URL L IS IS A BA BAD ID IDEA

FatBrain.com circa 1999

• User logs into website with his password, authenticator is

generated, user is given special URL containing the authenticator

https://www.fatbrain.com/HelpAccount.asp?t=0&p1=me@me.com&p2=540555758

• With special URL, user doesn’t need to reauthenticate
• Reasoning: user could not have known the special URL w/o authenticating first.

That’s true, BUT…

• Authenticators are global sequence numbers
• It’s easy to guess sequence number for another user

https://www.fatbrain.com/HelpAccount.asp?t=0&p1=SomeoneElse&p2=540555752

• Partial fix: use random authenticators

Storing State in Hidden Forms

• Dansie Shopping Cart (2006)

– “A premium, comprehensive, Perl shopping cart. Increase your web sales by making it easier for your web store customers to

• rder.”

<FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps<BR>Price: $20.00<BR> <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> </FORM>

Change this to 2.00 Bargain shopping! Fix: validate with data stored on server!

Better Session Management:

Web Authentication via Cookies

Review: Cookies

• What are they?
• Strings stored by your browser for a particular website
• A web server tells your browser to store a cookie
• Your browser sends back that cookie for each subsequent request to

that web server (and only that web server)

www.example.com Browser GET example.com 200 OK, set-cookie user=123 example.com: user=123 GET example.com/myprofile Cookie: user=123

What are cookies used for?

• Helps the web server identify who is

making the request and whether they have logged in Authentication 🔒

• Can be used to store settings from

previous visits Personalization 👖

• Follow the user from site to site; learn

their browsing behavior Tracking 🕶

Back to Web Session Management

• When session starts, server computes

an authenticator and gives it back to browser in the form of a cookie

• Authenticator must be un-forgeable and

tamper-proof

• Ex: MAC (server’s secret key, session id)

Back to Web Session Management

With each request, browser presents the cookie Server recomputes and verifies the authenticator

Why are cookies targets for hackers?

Can be used to login as the victim user!

Aside: Cookies & Same Origin Policy

Which cookies can be set by login.site.com? login.site.com can set cookies for all of .site.com (domain suffix), but not for another site or top-level domain (TLD) and not for a specific different subdomain on site.com.

Allowed Domains: ✅ login.site.com ✅ .site.com Disallowed Domains: ❌ othersite.com ❌ user.site.com

Reflective XSS Review

Lab 2 Overview

Cross Site Scripting

• 6 targets + 2

extra credit SQL Injection

• 2 targets + 1

extra credit Cross Site Request Forgery

• 1 target

Lab 2 Overview: Types of Attacks

Lab 2: What is involved?

A bit of: HTML, JS, (less

• f) PHP, SQL

Lots of resources in spec

Pikachu, Meowth, and Cookies

• Each target has a “safe” (a link) that requires an authenticated

cookie to open

• Meowth server accepts URLs to images
• Valid URLs are visited by Meowth using a Firefox browser
• Invalid URLs cause the server to return an error page

Pikachu, Meowth, and Cookies

Goal: Steal Meowth’s server’s cookie Use this cookie to open the safe

Pikachu, Meowth, and Cookies

• Invalid input is displayed on the page
• How is this vulnerable?
• What if we included HTML?
• JavaScript?

Input string: <ui><li>List item 1</li><li>List item 2</li></ui>

Lab 2 XSS Workflow Steps

Set up a PHP script for receiving the cookie (a simple server)

1

Construct and send a cookie- stealing URL to the bot

2

Retrieve the cookie from your server and use it to access the safe

3

Goal: get the bot to visit an attacker-controlled URL with its cookie included

How do you receive the cookie?

Step 1

You have access to CSE web hosting! Host a PHP script at homes.cs.washington.edu

• Write a PHP script, store it on attu as:

/cse/web/homes/<netid>/cookieEater.php

• Browsers can call this script at

https://homes.cs.washington.edu/~<netid>/coo kieEater.php

How do you receive the cookie?

Step 2

When your XSS attack gets the bot to call this URL, pass the cookie as a URL parameter

• Use JavaScript to steal document.cookie and

insert it into the URL

• .https://homes.cs.washington.edu/~<netid>/coo

kieEater.php?cookie=secretCookieValue

How do you receive the cookie?

Step 3 & 4 Extract the cookie from the URL. In your script, write the cookie to a file, so you can ssh in and copy it.

https://www.w3schools.com/php/php_file_create.asp

The bot won’t visit invalid URLs, so just passing it JavaScript won’t work However, invalid URLs will be displayed on error page Input your attack string to encode it, then take the URL

• f the error page and submit to the bot

Bot will visit the error page with the displayed script!

How do you get the bot to run your script?

Lab 2 Detailed XSS Workflow

Construct malicious script string Submit string to “send link” String is displayed on page

Page complains is not a link At this point, if your cookie script works, you can pull your

• wn cookies

Copy URL containing encoded script string Submit URL containing script instead Bot visits link String is displayed on page

Adversary side Server side

Link is accepted Script now pulls cookies from the bot.

Get cookie from

• utput, set

cookie, and

• pen safe

Viewing / Setting Cookies (Firefox)

• Open inspector
• Options à Web Developer à Storage Inspector
• Add a cookie
• Add item (+) à Set name and value

Viewing / Setting Cookies (Chrome)

• Open inspector
• On page, click anywhere à Inspect
• Add a cookie
• Application à Cookies à Double click

new row à Add name and value

Final Notes on Lab 2

Subsequent targets will begin filtering input If you need help with lab setup, please come to office hours! Make sure to follow the chmod instructions in the spec

Clickjacking

Clickjacking (UI Redressing)

• Attacker overlays multiple

transparent or opaque frames to trick a user into clicking on a button or link on another page

• Clicks meant for the visible page

are hijacked and routed to another, invisible page

How does it work?

• Any site can embed any other site using

an iframe

<iframe src = http://www.google.com/...> </iframe>

• Use CSS to make the iframe of the target

site invisible

• opacity defines visibility percentage
• Use CSS to put the iframe’s button
• ver the parent page’s button

www.attacker.site.com

Click here to see cute cats!

iframe: venmo.com/wolfson/send

Send $40 Submit

Other Variants

• Fake cursors (mouse pointers)
• Stealing text box focus –

redirecting typing elsewhere

• Double clickjack: ask user to

double click, pop a window up right below the mouse in between clicks

Defenses

• Websites can prevent themselves

from being used in an iframe, using the X-Frame-Options header

• Websites can check if they are in an

iframe, and who is embedding them, by looking at the Referer header