Isc 08 Web Security
Isc 08 Web Security
Isc 08 Web Security
© Mihai Chiroiu
HTTP Protocol [1]
• Stateless, text-based request-response protocol
Client -> Server: Server -> Client:
HTTP/1.0 200 OK
GET /index.html HTTP/1.0
Header1: value1
Header1: value1
Header2: value2
Header2: value2
<html><head>...</head>
<optional body>
<body>...</body></html>
© Mihai Chiroiu
HTTP Methods
GET: fetch a resource, may have query strings:
http://domain.com/browse.php?list=users&name=john
Generates:
GET /browse.php?list=users&name=john HTTP/1.0
PUT / POST: create or edit a resource (only POST is widely used)
• DELETE: delete resources (not used in practice)
• HEAD: like GET, but server responds with the headers only
• OPTIONS: determine options for a resource
• GET, HEAD and OPTIONS should be idempotent
© Mihai Chiroiu
HTTP Methods & HTML Forms
• Links typically use a GET request for opening pages
• HTML forms can generate GET and POST requests:
<form action="/login.php?user_type=regular" method="post">
User: <input type="text" name="username">
Password: <input type="password" name="pass">
</form>
Generates:
POST /login.php?user_type=regular HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 30 <-- the length of the body
username=<username>&pass=<user’s password>
© Mihai Chiroiu
Cookies
• Small piece of data that the browser stores and sends back to the
server on future requests
• Can be used to remember user preferences, server sessions etc.
© Mihai Chiroiu
Cookie Security
• Cookies are insecure:
• The user can freely read & modify them
• They can be intercepted unless HTTPS is used for transport
• Must add confidentiality and integrity guarantees:
• Using cryptography: encryption & HMAC [2]
• Server-side sessions
• Privacy implications:
• Cookies can be used to track users (e.g. by analytics & ad servers)
© Mihai Chiroiu
Server Sessions
• Also known as server-side cookies
• Server generates a random, unique session ID
4125a859778b1bf9b9b778a236f01e01
• Server uses database to store secrets associated with a session ID
• Persisted as cookie / passed using GET / POST parameters
Cookie: PHPSESSID=4125a85...
or
show.php?phpsessid=4125a85...
© Mihai Chiroiu
HTTPS [3]
• Based on Secure Sockets Layer / Transport Layer Security
• Creates a private channel between the client and the server
• The server authenticates itself using certificates and PKI
• Diffie-Hellman for forward secrecy
• Cipher negotiation: RC4, DES, AES CBC, AES GCM etc.
• Target of numerous attacks
© Mihai Chiroiu
TLS / HTTPS Attacks [4]
• Compression attacks (CRIME, BREACH)
• RC4 weaknesses
• Man-in-the-middle (Malicious Certificates, SSL stripping)
• Downgrade attacks (FREAK, Logjam, POODLE)
• Implementation bugs (e.g. Heartbeat, Cloudflare)
© Mihai Chiroiu
Server-side Processing
• Server generates dynamic content
• Scripting interfaces: CGI (legacy) / FastCGI / apache2 modules [5]
© Mihai Chiroiu
Sample Directory Layout
/var/www
|-- index.html
|-- login.php
|-- css/style.css
|-- images/
|-- logo.png
|-- map.png
Example requests:
> GET /index.html HTTP/1.0
> GET /images/logo.png HTTP/1.0
> POST /login.php HTTP/1.0
© Mihai Chiroiu
Server-side Processing
• Example (PHP)
<?php
$name = $_GET["name"];
$curDate = date("l");
?>
<p>Hello, <i><?=$name?></i>.
The date is <b><?=$curDate?></b>
<?php
echo $message;
?>
© Mihai Chiroiu
Server-side Injection (1)
SQL Injection [6]
$query = "SELECT * FROM users WHERE user='" .
$_POST["user"] . "' AND password='" .
hash($_POST["password"]) . "'";
$result = mysql_query($conn, $query);
POST: email=admin’--
• => SELECT * FROM users WHERE
user='admin'-- AND password=''`
© Mihai Chiroiu
Server-side Injection (2)
• File upload attack
• Example:
A site allows image submissions with minimal verification
User finds out the path to the image and requests it:
GET /uploads/image_9876.gif.php
© Mihai Chiroiu
Server-side Injection (3)
• Preventing injection:
Do not trust tutorials [7]
© Mihai Chiroiu
Application-Specific Vectors
• Broken Authentication System [8]
Predictable / insecure session IDs
• Authorization Vulnerabilities
Improper access verification
Example: /delete_user.php?id=5368
© Mihai Chiroiu
Server Misconfiguration [9]
• Again: do not trust tutorials
Nginx & PHP FastCGI configuration vulnerability [10]
© Mihai Chiroiu
Pwned Websites
• Haveibeenpwned.com – check it home!
• Yahoo! (2012 – SQL Injection, 2013, 2014 –
forged cookies)
1 bilion accounts exposed!
© Mihai Chiroiu
Client-side Security
Client-side Scripting (JavaScript)
Isolated execution, resource policies
AJAX
Browser vulnerabilities
© Mihai Chiroiu
JavaScript
The most popular ECMAScript implementation [12]
Used for webpage scripting (dynamic content, animations)
programs)
Modern web applications rendered entirely in JavaScript
© Mihai Chiroiu
AJAX [13]
Asynchronous JavaScript and XML
XMLHttpRequest - API for issuing background HTTP requests
© Mihai Chiroiu
Same / Cross Origin Policies [14]
Same Origin = Same protocol + domain + port
Example: http://domain.com vs https://www.domain.com
Used to prevent cross-domain data stealing
For example, a user enters malicious.com
Malicious.com makes a request for facebook.com
The request is made, but the response is discarded
Does not prevent information leakage!
CORS – Cross-Origin Resource Sharing
© Mihai Chiroiu
CORS
CORS – Cross-Origin Resource Sharing
The target server sends special response headers:
discarded
© Mihai Chiroiu
XSS [15]
Cross-Site Scripting / client-side code injection
E.g.: a messaging board website that allows HTML rich text:
Someone posts:
I just wanted to say hello!
<script>pwnThisSucker();</script>
If the target website doesn’t filter this, the code will execute on any
visitor’s browser
Code can steal data, infect the victims using a browser exploit etc.
© Mihai Chiroiu
XSS Prevention
Escape HTML before rendering
Convert "<" to "<", ">" to ">", quotes to """ etc.
sanitize
Example: strip out dangerous tags like script, embed, iframe etc.
© Mihai Chiroiu
CSRF [16]
Cross-Site Request Forgery
A malicious website tricks the browser / user into accessing a cross-
origin URL
Example (on malicious.com):
<img src="https://www.facebook.com/post/?msg=PWNED!"/>
Defenses:
Don’t execute critical actions on GET requests!
© Mihai Chiroiu
Browser Privacy [17]
Websites can track the user across multiple domains!
Cookies
© Mihai Chiroiu
Browser Vulnerabilities
Browsers are a complex piece of software
May have vulnerabilities that allow attackers to escape sandboxing
Attack vectors:
Malicious websites
© Mihai Chiroiu
Browser Vulnerabilities (2)
2015: Adobe Flash had 96
vulnerabilities [21]!
2016:
© Mihai Chiroiu
Browser Vulnerabilities (3)
Pwn2Own: security competition for hacking browsers
2016 results [23]:
© Mihai Chiroiu
Secure Browsers
If you want a secure browser:
Don’t use Microsoft’s Internet Explorer!
© Mihai Chiroiu
OWASP [25]
The Open Web Application Security Project
OWASP Top 10 for 2017 (preview [26]):
© Mihai Chiroiu
References
[1] HTTP https://tools.ietf.org/html/rfc2616
[2] Murdoch, Steven J. "Hardened stateless session cookies." International
Workshop on Security Protocols. Springer Berlin Heidelberg, 2008.
[3] TLS protocol version 1.2, https://tools.ietf.org/html/rfc5246 (2008)
[4] TLS attacks, https://www.rfc-editor.org/rfc/pdfrfc/rfc7457.txt.pdf
[5] Common Gateway Interface, https://tools.ietf.org/html/rfc3875
[6] Clarke-Salt, Justin. SQL injection attacks and defense. Elsevier, 2009.
[6] Flawed Tutorials, https://arxiv.org/pdf/1704.02786.pdf
[7] Session Fixation: http://www.acros.si/papers/session_fixation.pdf
© Mihai Bucicoiu
References (2)
[8] https://fishbowl.pastiche.org/archives/docs/PasswordRecovery.pdf
[9] http://www.pcmag.com/article2/0,2817,11525,00.asp
[10] Common Nginx + PHP Misconfiguration http://bit.ly/1kAK8xu
[11] ShellShock, http://www.securityfocus.com/bid/70103
[12] ECMA-262, http://www.ecma-international.org/publications/standards/Ecma-262.htm
[13] https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
[14] https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
[15] https://blogs.msdn.microsoft.com/dross/2009/12/15/happy-10th-birthday-
cross-site-scripting/
© Mihai Bucicoiu
References (3)
[16] https://www.nccgroup.trust/globalassets/our-
research/us/whitepapers/csrf_paper.pdf
[17] http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234427
[18] https://panopticlick.eff.org/
[19] How unique is your browser?
https://kabijo.de/files/13/14/5641571611600.pdf
[20] http://lifehacker.com/the-best-browser-extensions-that-protect-your-privacy-
479408034
[21] https://heimdalsecurity.com/blog/adobe-flash-vulnerabilities-security-risks/
© Mihai Bucicoiu
References (4)
[22] https://www.recordedfuture.com/top-vulnerabilities-2016/
[23] https://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-
safari-hacked-460k-awarded-in-total/
[24]
https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxi
ng.md
[25] https://www.owasp.org/
[26]
https://raw.githubusercontent.com/OWASP/Top10/master/2017/OWASP%20Top%
2010%20-%202017%20RC1-English.pdf
© Mihai Bucicoiu