PPT - CCSS

advertisement
This Material Will Not be
In Final Exam
Cross-Site Scripting (XSS)
What is XSS?
• A vulnerability in Web applications that lets attackers
inject client-side scripts into third-party Web pages
• Browsers of other visitors of compromised Web page
run the script – expose any data browser handles
• Popularity of these exploits grows and has surpassed
buffer overflow exploits
Non-persistent XSS Vulnerability
• Web server does not properly sanitize user input but
uses it “as is” to generate a dynamic reply (Web
page)
– This reply contains attacker’s script code
• Attacker can craft the URL with his script embedded
in it
– URL points to the target site, supplies some input + script
– Entice user to click on URL
– Script will steal some user info that user shares with the
site, e.g. a cookie
Example
Attacker
Google
1. Click here:
http://www.google.com?something</FORM><SCRIPT>….
3. Attacker’s script
executes with
Google’s privs
2. Send in HTTP GET as argument to Google homepage:
something</FORM><SCRIPT>….
User
Persistent XSS Vulnerability
• Data provided by attacker is stored by server and
displayed to any future user
– E.g. when posts to online message boards are not properly
sanitized
• Such a script can access any content the
compromised server can
Where Do Vulnerabilities Occur
• In server code that processes user input and
dynamically renders the resulting page
• In client code that runs in browser and renders Web
pages with data from the server
– JavaScript mostly
– Document Object Model (DOM) – standard model for
representing HTML and XML content
Defense: Escape User Input
• Ensure that characters of input are treated as data,
not as code
– Translate any dangerous characters into another form of
the same characters that cannot be interpreted as code
– E.g., translate “<“ into “<”
• Some input could be encoded into different charset
– Enforce charset in each server reply so that interpretation
of user’s input is fixed
Defense: Validate User Input
• Some Web sites want to allow users to input and
render HTML
– E.g., use HTML markup in emails and online posts
– Escaping doesn’t help here since it would destroy HTML
markup
– User input must pass through the HTML policy engine to
ensure it does not contain XSS
Defense: Cookie Security
• Because XSS can be used to steal cookies, sites
cannot rely only on cookies for authentication
– Tie cookies to specific IPs
– HTTP Only flag in browsers allows access to cookies from
HTML documents only (scripts cannot access them)
Defense: Disabling Scripts
• Browser-side defense
– Makes some Web pages not render
– Could be turned off for some sites which are trusted to be
well secured against XSS
XML Randomization XSS Defense
• Web application randomizes XML tag prefixes before
delivering a document to client
– Hard for attacker to predict randomized prefixes
– Cannot inject scripts into application input
“Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site
Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium (NDSS), 2009.
Insertion Vectors
• Tag body
– review.text = <script>attack()</script>
• Node splitting
– review.text = </p></div><script>attack()</script><div><p>
• Attribute value
– review.contact = javascript:attack()
• Attribute splitting
– review.contact = ’ onclick=’javascript:attack()
• Tag splitting
– review.contact = ’><script>attack()</script>
“Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site
Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium (NDSS), 2009.
Tag Prefix Randomization
• XML namespaces
– User chooses a prefix for a tag
– E.g. for <A> tag:
• <p:a xmlns:p=’http://www.w3.org/1999/xhtml’>
• <q:a xmlns:q=’http://www.w3.org/1999/xhtml’>
• Leverage XML prefixes to annotate document with
trust classes
– “Label” of each trust class random and hard to guess by
attacker
• Prefixes randomly chosen on each document delivery
“Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site
Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium (NDSS), 2009.
Example From Paper
Attack code
“Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site
Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium (NDSS), 2009.
Trust Policy
• Defines tags that are trusted
• Defines HTML tags and operations that are allowed
in untrusted content
• Everything else is denied
• Server delivers both the potentially hazardous
content and the trust policy
• Client browser enforces policy on server-delivered
content
“Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site
Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium (NDSS), 2009.
Deployment
• Both client and server need to be modified
• Easy add-on to existing software
• Client proxy can protect multiple clients in a network
“Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site
Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium (NDSS), 2009.
MANET Security
What Is MANET?
• Mobile Ad-Hoc Network
–
–
–
–
Wireless nodes
Changing topology
Possibly no trusted authority
Usually battery operated with limited CPU/memory
Security Challenges
• Wireless medium
– Sniffing and jamming are easy, impersonation too
• Peers as routers
– No trust in routers, may sniff, drop or fabricate data
• Changing topology
– Routes are learned, can be manipulated by attackers
• No trust infrastructure or trusted entities
– How to distribute keys
• Limited resources
– Algorithms must be simple and cheap
Physical/Link Layer Attacks
• Sniffing: attackers can easily pick up wireless
transmissions because they are broadcast at specific
frequency (MAC spoofing possible too)
– Frequency hopping
– Directional antennas
– Encryption
• Jamming is easy
– But attacker needs powerful transmitter
– Directional antennas
• MAC protocol misuse to monopolize shared medium
– How to create a distributed protocol that detects and penalizes
misbehavior?
Ad-Hoc Routing
• Routes are learned when needed (due to mobility)
• Dynamic Source Routing (DSR)
– Source puts entire route in packet header
• Route discovery
–
–
–
–
Request messages broadcast
Intermediate nodes add themselves to the message
Reply unicast to the source with full path recorded
Nodes can cache overheard routes and may reply from
cache
– Link breakage results in error messages that delete routes
in the network that use the broken link
Ad-Hoc Routing
• Ad-hoc On-Demand Distance Vector Routing
– Source just specifies destination
– Routers on path forward as they see fit
• Route discovery
– Request messages broadcast
– Intermediate nodes repeat the message,
cache next hop to the source
– Reply unicast to the source, intermediate nodes cache next
hop to the destination
– Intermediate node may reply from cache
– When link breaks intermediate node may attempt to
rediscover new route
– Error messages remove routes that used the broken link
Routing Attacks
• Routing message flooding (DoS)
• Routing table overflow
– Fill with bogus routes
• Routing cache poisoning is easy
– Just fabricate requests or replies with spoofed source
• Fabricate false error messages
Network Layer Attacks
•
•
•
•
Drop packets, modify them or replay them
Delay packets
Inject junk traffic
Wormhole Attack
– Tunnel packets to another location
• Blackhole Attack
– Make the node part of many routes
– Drop all traffic
Wormhole Attacks
• Attacker records traffic at one point in MANET,
tunnels it (perhaps selectively) to another point and
replays it
• Replayed traffic can arrive sooner than original traffic
– This leads to an attacker node becoming part of many
routes
• Attack works even for traffic not going over attacker
nodes directly, and for encrypted traffic
“Wormhole attacks in wireless networks,” Yih-chun Hu , Adrian Perrig , David B.
Johnson, IEEE Journal on Selected Areas in Communications, 2006
Detection of Wormhole Attacks
• Packet leash
– Information added to the packet to restrict the distance it
can travel in one hop
– Geographical – recipient must be close to sender. Sender
records its location and time when packet is sent, recipient
checks for validity.
– Temporal – packet lifetime ends after certain time. Sender
records the time when packet is sent, recipient checks for
validity.
• Requires synchronized clocks
• Recorded information must be signed
“Wormhole attacks in wireless networks,” Yih-chun Hu , Adrian Perrig , David B.
Johnson, IEEE Journal on Selected Areas in Communications, 2006
DoS Attacks
•
•
•
•
•
Consume node battery, CPU or memory
Overflow node’s routing table
Flood the node with routing messages
Flood the node with data traffic
Drop node’s data traffic
Download