2011 Summer Answers (Web Security)

ovenforksqueeSecurity

Nov 3, 2013 (3 years and 10 months ago)

83 views

2011 Summer Answers (Web Security)


Question 1

(Total 30 marks)

a)

Explain why a web
-
site should not use the HTTP request
referrer

field to check
whether a visitor arrived at the page via its ‘front door’ web
-
page. (6 marks)



The referrer field may not always contain the correct information. For
example, a Firefox plugin called ‘BrowserMasquerade’ may be used to
change the url in the referrer field can easily be changed to make it look as if
the visitor came from the websites f
ront
-
door.


b)

A website authentication form results in HTTP GET request:
https://www.foobar.com/login.php?name=simon&password=nomis

Comment on
the security of this request. (6 marks)



This HTTP GET request can be seen by any user of the foobar website,
whether or not this user is the owner of the username or password that has
been freely shown. Therefore this HTTP request
is a direct threat to security
as both username and password can
be discovered and potentially copied.


c)

Why shouldn’t a web
-
site administrator store the password file (eg .htpasswd) used
by HTTP Basic authentication under the document root? (6 marks)



If the .htpasswd file is stored under the database root then it will b
e very
easy for a malicious user to gain access to it if he/she wishes. Once this
malicious user has gained access they may cause a variety of threats such as
changing the admin password or uploading a new .htpasswd file altogether.


d)

A programmer writes a
PHP script dbconnect.inc that contains database credentials
and is used to connect to a database. What is wrong with the programmer simply
referencing this file as
requires (
dbconnect.inc) in every PHP script that he writes? (6
marks)



Every time the
programmer requests the dbconnect.inc file in another files
code he is taking a big risk. Anyone who views the code of the file that is
including dbconnect.inc can easily deduce that this file may contain a
database table name, username and password. Also
dbconnect.inc can be
opened with most text editors to show its code, thus any malicious user can
easily gain access to the programmers database from which they can drop
tables at the click of a button.


e)

Outline the operation of PHP Safe mode and why it is
advisable not to rely upon this
security control for shared hosting. (6 marks)



PHP safe mode provides blacklisting/controls over access to functions that are
considered dangerous. However, it is easy for the web site administrator to
overlook certain dange
rous functions. If a single dangerous function is
overlooked then safe mode is entirely ineffective.



Shared hosting environments typically offer more than just PHP hosting, for
example they may permit users to also host CGI scripts. For example, a
PHP

scri
pt can be executed from within a CGI wrapper that will let you get around
the
PHP
safe mode completely.


Question 2 (Total 25 marks)

A (Basic HTTP) authenticated user of a photograph
-
sharing web
-
site uses an access

control form to publish (make public) in
dividual photographs that he/she owns.


<form method="POST" action="fotobar.com/publish.php">

<p> Photo Name: <input type="text" name="pname"></p>

<input type="hidden" name="owner" value="<?php
$_SERVER[’REMOTE_USER’]?>">

<p><input type="submit" value="Pu
blish"></p>

</form>


The following fragment of publish.php updates database photo
(owner,pname,isPublic,image), whereby a photograph image owned by owner with
name pname is readable by anyone if isPublic is True.

$owner=$_REQUEST[’owner’];

$pname= $_
REQUEST[’pname’];

$sql = "UPDATE photo SET isPublic=True

WHERE owner = ’$owner’ AND pname=’$pname’";

$dbresult = mysql_query($sql);


a)

Describe how this web
-
page is vulnerable to a SQL injection attack and explain how
this

vulnerability should be mitigated.
(15 marks)



A malicious user could manipulate this form to make another users picture
public.



Users should be required to l
ogin first, and only then, should

have permission
to make their own pictures public.


b)

Suppose that the programmer decides to replace t
he HTTP Basic Authentication by a

dedicated login.php script whereby session state is managed for visitors
authenticated

against a user/password database. Outline how a poorly implemented
login.php script

can be subject to a session fixation attack and how

it should be
mitigated. (10 marks)



Session fixation attack: Where the attacker tricks the victim into using a
session id that the attacker already knows.

1.

Attacker is given a
valid session id from the web
site
s

server. For
example,
http://foobar.com?PFPSESSID=1234

2.

The attacker tricks the victim into using this session id. For example,
the victim follows http://foobar.com?PFPSESSID=1234 as a result of a
CSRF attack.

3.

In this session, the victim sends his credentials to the server. For

example, the victim logs in and $_SESSION[‘userid’] is set to their
name.

4.

From now on the session is authenticated and the attacker knows the
session id. He can now masquerade under the victim’s

identity.




A poorly implemented login script

would set the v
ictims session id like
:

$_SESSION[‘userid’] = $userid;

Here the victim

is open to a session fixation
attack because the userid that the victim has authenticated with will be the
session id that the attacker tricked the victim into using.




To avoid a
session fixation attack the application should regenerate the
session id whenever the user authenticates or there is a change of privilege.

As in the code below:


session_regenerate_id();


$_SESSION[‘userid’] = $userid;


Question 3 (Total 25 marks)

Continu
ing the previous example:

a)

Describe how the web
-
page is vulnerable to a Cross Site Request Forgery and explain
with the help of PHP code fragments how this vulnerability may be mitigated by use
of synchronizers. (15 marks)

b)

Assuming that the SQL injection
and CSRF attacks have been mitigated explain how
an attacker can still change the isPublic setting of a photograph owned by another
user. (10 marks)