Web Application Attacks Presentation

advertisement
Web Application Attacks
ECE 4112 Fall 2007
Group 9
Zafeer Khan & Simmon Yau
Motivation

SANS (SysAdmin, Audit, Network,
Security) Top-20 2007 Security Risks
(2007 Annual Update)


No. 1 Client side vulnerability is web browsers
No. 1 Server side vulnerability is web applications

Common forms:




PHP Remote File Include (Remote Code Execution)
SQL Injection
Cross-site Scripting (XSS)
Cross-Site Request Forgeries (CSRF)
Outline

URL Interpretation Attacks





HTTP Response Splitting – Cross Site Scripting
SQL Injection
Impersonation Attacks
Buffer Overflow
Remote Code Execution
URL Interpretation Attacks

An attacker can take advantage of the
multiple ways of encoding an URL and abuse
the interpretation of the URL. An URL may
contain special character that need special
syntax handling in order to be interpreted.
Special characters are represented using a
percentage character followed by two digits
representing the octet code of the original
character (%HEX-CODE).
URL Interpretation Attacks

HTTP Response Splitting



http://website/redirect.php?page=http://website/welcome.ht
ml
http://website/redirect.php?page =0d%0aContentType:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d
%0aContentType:%20text/html%0d%0a%0d%0a%3chtml%3eHello,
world!%3c/html%3e
Result:
 Content-Type: text/html
 HTTP/1.1 200 OK
 Content-Type: text/html
 <html>Hello, world!</html>
URL Interpretation Attacks

Cross Site Scripting


http://website/redirect.php?page=http://website/ha
cked.html
Runs a JavaScript popup asking for Credit Card
Number
URL Interpretation Attacks

SQL Injection



“login.asp”: SQLQuery = “SELECT preferences FROM
logintable WHERE userid=’” &
Request.QueryString(“userid”) & “’ AND password=’” &
Request.QueryString(“password”) & “’;”
http://target/login.asp?userid=bob%27%3b%20update%20l
ogintable%20set%20passwd
%3d%270wn3d%27%3b--%00
Result:

SELECT preferences FROM logintable WHERE userid=’bob’;
update logintable set password=’0wn3d’;
Defenses Against URL Interpretation
Attacks



There are tools to scan HTTP requests to the server for valid
URL such as URLScan from Microsoft
(http://www.microsoft.com/technet/security/tools/urlscan.mspx).
Assume all input is malicious. Create a white list that defines all
valid input to the software system based on the requirements
specifications. Input that does not match against the white list
should not be permitted to enter into the system. Test your
decoding process against malicious input.
When client input is required from web-based forms, avoid using
the “GET” method to submit data, as the method causes the form
data to be appended to the URL and is easily manipulated.
Instead, use the “POST method whenever possible.
Impersonation Attacks
An
attack where someone pretends to be someone they are
not
Ability to gain access to private account information
Large sums of money involved
Hackers and organized crime alike would be interested
PHP Session




Http is a stateless protocol
Sessions are needed to store information
Sessions are different than cookies
Example of a PHP session students will see
in the lab
http://www.simmonyau.com/session.php
Session.php
<?php
session_start();
if ($PHPSESSID) {
echo $PHPSESSID;
} else {
print('This is your first time visiting this site. A session has
been created to track your information.');
session_register('PHPSESSID');
$PHPSESSID=rand();
}
?>
Poorly Coded PHP Session Management


Poorly coded PHP sessions can lead up to
impersonation attacks.
Although these kinds of attacks are unlikely
to happen unless the web developer was an
idiot, let’s look at an example.
http://www.simmonyau.com/badsession.php
Badsession.php
Badsession.php (cont’d)
Session Hijacking


It’s also possible for a hacker to pretend to be
a legit organization to trick you into giving
them your account information.
A malicious user could for example get a
false certificate and place it on their website
impersonating an organization or pretending
to be a real organization.
Session Hijacking Prevention


As a web developer, be sure to use the safest
ways in coding. Sometimes the default
settings may be the most secure.
For this lab, the following changes were
made from the default settings just to hijack
the session of the website:
1.
2.
register_globals was enabled (usually disabled
for security purposes)
session_register() was used instead of
$_SESSION['name']
Session Hijacking Prevention (cont’d)
3. php.ini changes
; Whether to use cookies.
session.use_cookies = 1
session.cookie_secure =0
; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 1.
session.use_only_cookies = 0
; Name of the session (used as cookie name).
session.name = PHPSESSID
register_globals=on
Session Hijacking Prevention (cont’d)
4. Protect the integrity of your session tokens/ids.
5. Do not ever use $_GET variables.
6. Do not register or input your information under
shady websites.
7. If you are logging into a “secure” website, check to
see if http changes to https.
Buffer Overflow



A buffer overflow attack can occur when a
user inputs more data in a buffer than it can
handle.
As a result, this code flows over into other
buffers and can corrupt or overwrite data in
them.
Although buffer overflows are harder for
hackers to find, it is easily exploitable by
anyone once it is found.
Buffer Overflow Prevention




Keep up to date with patches on programs.
Invalidate stack execution so extra code that
executes in the stack instead of the code can not
run.
Use good compliers because they usually catch
unsafe structures like gets(), strcpy(), etc.
Use the tool libsafe to provide secure calls to
function. (it follows frame pointers to the correct
stack frame when buffers are passed to unsafe
functions.
Remote Code Execution


An exploit where a user could run some
arbitrary code on a server.
Example: When register_globals are turned
on for php, if a webpage contained
require($somepage . “.php”);
Someone could then type in
http://www.yoursite.com/index.php?somepag
e=http://
Remote Code Execution Preventions

There’s not much you can do besides be
careful when coding your web applications.
Resources









http://searchsoftwarequality.techtarget.com/searchAppSecurity/down
loads/Hacking_Exposed_ch06.pdf, Hacking Exposed
http://capec.mitre.org, CAPEC (Common Attack Pattern
Enumeration and Classification)
http://www.sans.org/, SANS (SysAdmin, Audit, Network, Security)
Institute
http://www.securityfocus.com/infocus/1774
http://www.pcmag.com/article2/0,1759,34074,00.asp
http://www.weberdev.com/ViewArticle/Exploring-Session-Security-InPHP-Web-Applications
http://www.tizag.com/mysqlTutorial/mysqltables.php
http://phpsec.org/projects/guide/4.html
http://www.ic.unicamp.br/~stolfi/urna/buffer-oflow/
Questions?
ECE 4112 – Don’t Learn To Hack, Hack
To Learn
Download