Web Attacks con t CS 161 Computer Security Prof Vern Paxson TAs Devdatta Akhawe Mobin Javed Matthias Vallentin http inst eecs berkeley edu cs161 February 22 2011 Announcements See Still confused about question 4 submission format thread in Piazzza 116 Guest lecture a week from Thursday March 3rd Prof David Wagner My office hours the week of March 7th will be by appointment I may move my office hours next Monday to 1 2PM if so will announce on Piazzza Let me know if this would be a hardship Defending Against Command Injection In principle can prevent injection attacks by properly sanitizing input sent to web servers Remove or escape meta characters Easy to get wrong by overlooking a metacharacter or escaping subtlety Better avoid using a feature rich API KISS defensive programming E g use execve to invoke a desired program rather than system Command Injection in the Real World Command Injection in the Real World Structure of Modern Web Services Browser URL Form command php arg1 x arg2 y Web server Structure of Modern Web Services Browser URL Form command php arg1 x arg2 y Web server SQL query built from x and y Database server Structure of Modern Web Services Browser Web server Custom data corresponding to x y Database server Structure of Modern Web Services Browser Web server Web page built using custom data Database server SQL Widely used database query language Fetch a set of records SELECT FROM Person WHERE Username oski Add data to the table INSERT INTO Person Username Balance VALUES oski 10 oski has ten buckaroos Modify data An SQL comment UPDATE Person SET Balance 42 WHERE Username oski Query syntax mostly independent of vendor SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable recipient and then builds up a string with the following SQL query sql SELECT PersonID FROM Person WHERE Balance 100 AND Username recipient Query accesses recipient s account if their balance is 100 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable recipient and then builds up a string with the following SQL query sql SELECT PersonID FROM Person WHERE Balance 100 AND Username recipient So for recipient Bob the SQL query is SELECT PersonID FROM Person WHERE Balance 100 AND Username Bob SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable recipient and then builds up a string with the following SQL query sql SELECT PersonID FROM Person WHERE Balance 100 AND Username recipient How can recipient cause trouble here How can we see anyone s account SQL Injection Scenario con t WHERE Balance 100 AND Username recipient recipient foo OR 1 1 WHERE Balance 100 AND Username foo OR 1 1 Precedence comment makes this WHERE Balance 100 AND Username foo OR 1 1 Always true SQL Injection Scenario con t WHERE Balance 100 AND Username recipient How about recipient foo DROP TABLE Person Now there are two separate SQL commands thanks to commandseparator Can change database however you wish Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input ResultSet getPro le Connec9on conn int uid throws SQLExcep9on String query SELECT pro le FROM Users WHERE uid PreparedStatement p conn prepareStatement query p setInt 1 uid return p executeQuery Prepared Statement Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input ResultSet getPro le Connec9on conn int uid throws SQLExcep9on Untrusted user String query SELECT pro le FROM Users Winput HERE uid PreparedStatement p conn prepareStatement query p setInt 1 uid return p executeQuery Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input ResultSet getPro le Connec9on conn int uid throws SQLExcep9on String query SELECT pro le FROM Users WHERE uid PreparedStatement p conn prepareStatement query p setInt 1 uid Input is confined to return p executeQuery a single SQL atom Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input ResultSet getPro le Connec9on conn int uid throws SQLExcep9on String query SELECT pro le FROM Users WHERE uid PreparedStatement p conn prepareStatement query p setInt 1 uid Binds the value return p executeQuery of uid to atom Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input ResultSet getPro le Connec9on conn int uid throws SQLExcep9on String query SELECT pro le FROM Users WHERE uid PreparedStatement p conn prepareStatement query p setInt 1 uid return p executeQuery No matter what input user provides Prepared Statement ensures it will be treated as a single SQL datum Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input ResultSet getPro le Connec9on conn int uid throws SQLExcep9on String query SELECT pro le FROM Users WHERE uid PreparedStatement p conn prepareStatement query p setInt 1 uid return p executeQuery P Hello username Welcome back Defenses Defenses work in progress Language support for construc ng queries Specify query structure independent of user input ResultSet getPro le Connec9on conn int uid throws SQLExcep9on String query SELECT pro le FROM Users WHERE uid PreparedStatement p conn prepareStatement query p setInt 1 uid return p executeQuery Template language ensures variable fully escaped P Hello username Welcome back 5 Minute Break 5 Minute Break Questions Before We Proceed Basic Structure of Web Traffic 27 Basic Structure of Web Traffic Includes resource from URL Headers describing browser capabilities Associated data for POST 28 Basic Structure of Web Traffic Includes resource from URL Headers describing browser capabilities Associated data for POST 29 HTTP Request Method Resource HTTP version Headers GET login html user alice pass bigsecret HTTP 1 1 Accept image gif image x bitmap image jpeg Accept Language en Connection Keep Alive User Agent Mozilla 1 22 compatible MSIE 2 0 Windows 95 Host mybank com Referer http www google com q mybank 20berkeley Blank line Data if POST none for GET GET download data POST upload data Basic Structure of Web Traffic Includes status code
View Full Document
Unlocking...