Dan Kaminsky, profile picture
Uploaded byDan Kaminsky
PPTX, PDF11,340 views

Confidence web

The document discusses securing web applications. It argues that traditional approaches like blaming developers or banning third-party cookies are not effective solutions. Adding random tokens manually to URLs is difficult for developers. Using the referer header is unreliable due to inconsistencies across browsers and plugins. The origin header has similar problems. The document proposes an "interpreter suicide" approach where JavaScript detects cross-site navigation and prevents further execution to block attacks. This provides a client-side way to enforce session context without requiring manual token management.

Embed presentation

Downloaded 43 times
The Art Of Realism In Web Defense Dan Kaminsky Director of Penetration Testing IOActive
Introduction • I’m Dan Kaminsky – This is not a talk on DNS – This is not a talk on DNSSEC – This is not a talk on X.509 – This is (mostly) not even a talk about offense • Though it’ll happen • We are here to discuss defense – Why it’s hard – Why it’s still hard – How the Web is (still!) difficult to secure in very basic ways – What technical steps can be taken to make it easier for developers to secure their sites
The Web Has Won • HTML, JavaScript, and CSS are, by a wide margin, the most popular programming languages on the planet, at least for front end design – Bigger than Win32 – Bigger than Objective C – Bigger than Java – Bigger than Flash • Why install software when you can just browse to www.kayak.com?
The Web Has A Security Problem • Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF) are endemic • SQL Injection is not going away – And not just SQL – XML, JSON, even LDAP is in trouble • These are not new problems. These go back a decade. Why are we still suffering them? – After all, we’ve been saying for years, use randomized tokens in URLs, and “validate your input”!
The Traditional Response • “Developers are stupid and lazy.” – This is a great response – for our egos – It defines hackers as intelligent and industrious!
The Reality (as I see it) • It remains too difficult to make web browsers do surprisingly simple things – “Dan, I’ve been coming to Defcon for years. I love security. But you know, it’s $50K for me to build the site, and $150K for me to get somebody to come out and secure it. Do you know anybody who will pay 4x for me to build them a site?” – Our advice for how to secure things is really amazingly expensive • Expensive in terms of dev hours • Expensive in terms of outside validation – “So?”
Our Message • “It doesn’t matter if it’s expensive.” • “It doesn’t matter if it’s fragile.” • “It doesn’t matter if it breaks things.” • “It doesn’t matter if it doesn’t even do a great job securing things.” • It’s security! Obviously everybody has to do it! – And so instead of improving our technologies to the point where security is achievable, we spin our wheels demanding the deployment of immature defenses
You may disagree. • If you think all our existing solutions are good enough, and the only problem is lazy and stupid developers (“insufficiently incentivized” if you’re an academic), nothing I can say is going to convince you otherwise. • But if you agree, then your immediate question should be: What are you recommending? – It is not enough to curse the darkness. One must praise the light!
First Law Of Securing the Web: You are not allowed to break the web. • This is a point of significant contention! – Not just about cookies. • Remember “Mogul”, the huge project centered around dealing with Marsh Ray’s TLS Renegotiation vulnerability? • Remember how it involved an enormous IETF standardization effort around a fix, and a huge amount of work? • Did you notice all the patch announcements of crypto libraries applying the renegotiation fix?
The Fix Is Off By Default In Firefox • Just like I told Marsh Ray it would be. • “Note that to benefit from the fix for CVE-2009-3555 added in nss-3.12.6, Firefox 3.6 users will need to set their security.ssl.require_safe_negotiation preference to true. In Mandriva the default setting is false due to problems with some common sites.” – Mandriva Patch Notes – security.ssl.allow_unrestricted_renego_everywhere__te mporarily_available_pref Current default value: DEPENDS, see end of section The development version of Firefox (3.7-pre) uses "false" The stable releases 3.5.9 and 3.6.2 use "true" As soon as a sufficient amount of servers had a chance to upgrade, the default in stable releases will be switched to "false", too
Corollary: You Can’t Afford To Wait For Everybody To Patch • “The Internet Has No Flag Days” – i.e. “OK everyone, on July 8th, 2013, we will all simultaneously stop using Internet Explorer 6” • They needed to find a way to securely downgrade for servers that didn’t support their fix. – They didn’t (maybe they couldn’t?), and ultimately, it’s now all lost effort. – When will enough internal servers patch? Never. – Hard but true.
Second Law Of Securing The Web: Defenses must meet all engineering requirements • Classical security theory: “The attacker need only find one bug, while the defender must find them all.” – This is true, but incomplete. • Updated security theory: “The attacker need only consider one engineering requirement, while the defender must balance them all.” – If your defense is not fast enough, its not good enough – If your defense is not compatible enough, its not good enough – If your defense is not reliable enough, its not good enough – If your defense is not usable enough, its not good enough – If your defense is too hard to build or deploy, its will probably not be either built nor deployed
Security Is (Still!) New • Security is a new first class engineering requirement for software – Power efficiency is a new first class engineering requirement for consumer electronics – Just because the TV takes less electricity doesn’t mean it’s allowed to be any less pretty – Just because the code is more secure doesn’t mean it’s allowed to be slow • There remains surprisingly basic work to be done to facilitate security – Building a secure session context is one of those things – Lets talk about how to do that, while not screwing everything else up
Session Management: Where We Stand • How web sites are logged into – 1) Credentials are supplied • Generally via a username/password form – 2) A “cookie” is supplied to the user, so they don’t have to repeatedly log in • The cookie is tied to a domain • All HTTP requests to a domain have its cookie attached • Requests that come in with these cookies are assumed to be associated with the “session” created • The above is pretty easy to code.
Third Party Cookies • Unfortunately, cookies are badly designed for session management – THEY LEAK – Intent: www.bank.com links you from Page A to Page B, and you don’t have to log back in – Reality: www.badguy.com links you to the bank’s Page B, and you don’t have to log back in – Specific technical fault: Attacker-supplied URLs are allowed to mix with user-supplied Cookies
The “Easy Fix” • Ban third party cookies! – “I should only emit google cookies when browsing google” • The above would break the web – All sorts of Single Sign On mechanisms would fall over • So this will never happen. – Reality is what refuses to go away when you stop believing in it.
The “Real Fix”: Add Tokens By Hand • http://www.site.com/foo.php?tok en=298371231 – (Or a hidden form element in POSTs) • Tokens are about sacrificing the automatic nature of cookies for manual integration of the token in each generated URI • “Look how easy that is!” – If you just said that, you are not a web developer.
Tokens Are Actually Really Hard • [All] application local URLs have to be rewritten for using the randomizer object. While standard HTML forms and hyperlinks pose no special challenge, prior existing JavaScript may be harder to deal with. All JavaScript functions that assign values to document.location or open new windows have to be located and modified. Also all existing onclick and onsubmit events have to be rewritten. Furthermore, HTML code might include external referenced JavaScript libraries, which have to be processed as well. Because of these problems, a web application that is protected by such a solution has to be examined and tested thoroughly. – http://www.informatik.uni- hamburg.de/SVS/papers/2006_esorics_SessionSafe.pdf
Tokenizer Tricks Don’t Help Much • Possible to automatically make relative links inherit the token – Randomized domain • 298371231.site.com • Martin Johns’ SessionSafe • That quote came from that page – Randomized path • http://www.site.com/2983712131/foo.php • Actually kind of interesting – first good use for per-path cookies! • Haven’t heard of this before, but just came up with it • Absolute links are still very expensive to manage – They’re very, very common in the field
Three Possibilities • Browsers block third party cookies – Not happening • Developers manually add tokens to each HTTP request – Barely happening • Security fails – Totally happening – The web is a mess, filled with XSS and XSRF vulnerabilities • Even on authenticated resources!
A Tale Of Two Classes Of Web Page BBC News: Needs Deep Linking Amazon.Com Shopping Cart: Needs Security From Outside Attackers
On Boundaries • Most natural place to place boundary: Unauthenticated vs. Authenticated – Unauthenticated pages are the best landing points – Authenticated pages expose the greatest complexity • A strong session context prevents (Reflected) XSS and XSRF from executing at all – The attacker just cannot navigate to the endpoint with the bug – Making entire families of bugs unexploitable is always a good thing  – If even the unauthenticated landing points have sufficient complexity that they’re likely to be XSSable, then www.foo.com can be 302 Redirected to public.foo.com or even www.foopublic.com.
Question • Is it possible to get secure sessions, without having to manually append a token to each request?
The Most Common Attempt: Server-Side Referrer Checking • HTTP requests can contain a “Referer” field, which is supposed to describe the URL of the page that sourced the request for a particular asset – Yes, it’s misspelled in the standard • It is possible for an HTTP server to examine every request that comes in with an authenticated Cookie, and see if it also comes in with a Referer header from the same site • Many Content Management Systems have attempted to use Referer checking to stop XSRF and related attacks – Developers, finding a defensive technology that is easy and nondisruptive to implement, will actually do the work!
But Wait… • We tell them not to do this, for “Security Reasons” – “Referer headers can be spoofed using XMLHTTP and by using flash as demonstrated by Amit Klein and rapid7 and therefore cannot be trusted.” • http://www.cgisecurity.com/csrf-faq.html
Actually. • Amit et al fixed this years ago • There is no known mechanism for causing a browser to emit an arbitrary Referer header, and hasn’t been for quite some time. – More importantly, if one is found, it’s fixed, just like a whole host of other browser bugs • So can we use this?
The Real Reason You Can’t Depend On Server-Side Referrer: Appcompat • There are many mechanisms that result in web browsers navigating from page to page – Follow an anchor – Change document.location.href – Follow a 302 redirect – Follow a <meta http-equiv=“refresh”> link – Window.open • Referer header inconsistently attached – some methods have the header, some don’t – Differs by browser – Really differs by plugin
…and that’s without the “security tools” butting in • http://codex.wordpress.org/Enable_Sending_Referrers -- how to make Wordpress administration work (at least for 2.0x) if you have any of the following installed: – Norton Internet Security, Norton Personal, NetBarrier, SyGate Firewall, Kerio Firewall 4, Zone Alarm Pro, Agnitum Outpost Firewall Pro 2008, McAfee, Privoxy, etc. • And that’s to say nothing about network proxies like Squid, from which about one fifth of HTTP requests are sourced • Most blocking is there to protect privacy interests or to protect against Dynamic XSRF attacks, which is reasonable, but it applies even to Referer headers for the same site – One security technology interfering with another security technology? Impossible!
Fail Open Openly Failing • “Can’t we just enforce XSRF protections if there’s a Referer header, and allow the user in anyway (fail open) if the header is missing?” – This is actually the policy of a some CMS’s in the field  – Since there are navigation types that suppress Referer even on unfiltered hosts (<meta http- equiv=“refresh”>) they’re exposed. • See also, HTTPS->HTTP Referer suppression, which is an intentional feature to prevent full URI leakage from the secure context (thanks David Ross, Sirdarckat)
What About The Origin Header? • Attempt to “redo” Referer, this time for security • Unfortunately, it’s a little complicated… – Red is when Origin doesn’t work – Green is when Origin does work
NEVER DO THAT TO A DEV • Origin header tried to incorporate an overly complex security model • Result is that it’s effectively random when the header is applied – Makes sense if you’re writing a social networking application, but that’s about it • Workaround is to rewrite/audit all the links on your site – *facepalm*
Can We Go Client Side? • Remember, the client has the actual context, the server only gets what the client happens to put on the wire • Challenge: Can we make it so a violated session aborts? – www.badguy.com opens a window to www.bank.com/badurl. Server supplies the malicious URL, but the client uses Javascript to suppress execution – This would stop XSS
Interpreter Suicide • General idea: Preface all potentially attacker controlled HTML with a <script> that detects (we’ll talk about how later) cross-site navigation • If such is detected, we assume there might be something unsafe later in the the bytestream, and we have to prevent the Javascript/HTML interpreter from ever reaching it • “We put code at byte 500 so that byte 20000 never executes”
Example • <script> dest=“http://www.cnn.com”; document.location.href=dest; //Renavigate document.body.innerHTML=''; //Replace while(document.body.innerHTML!=''){ x++;} //Repeat alert(dest); // never reached </script> <script>alert(1);</script> NEVER REACHED
What’s Going On • Renavigation: Assign document.location.href to a safe landing page – Fires an event to cause the window to navigate – Does not necessarily stop the existing parse thread • Replacement: Assign document.body.innerHTML=“” – Replaces the object into which content was being streamed • Repetition: Prevent the script block from returning – Internal: while(1){ i=0; } – External: Add a dependency on a synchronous call that actually does block the interpreter for a nonzero amount of time • What doesn’t work: Releasing – Calling a nonexistent function only temporarily stops interpretation – VBScript may still run, along with code in IFRAMEs • (Thanks, Brandon Creighton!)
Why This Works (and it does work) • <script> var foo=1; </script> <script> alert(foo); </script> • The first script block must return before the second script block is allowed to execute – in other words, all functionally correct JS interpreters must parse HTML blocks linearly
What about XSRF? • Cross Site Request Forgery doesn’t care about the reply – the reply can be ignored, it’s the request (when mixed with the user’s cookie) that’s the source of pain – What if the reply to the REST endpoint was itself a batch of JS? And this batch contained a in-session challenge that, if passed, would result in a second query with a proper XSRF token? – What if we only did this, if the requestor’s User-Agent was a browser? • Performance impact: 1xRTT (One HTTP round trip)
Appcompat • Compatibility impact: Some problems with XMLHttpRequest and Flash – Both look like browsers, since they “borrow” the browser’s HTTP stack – Both are mostly same-domain only, with explicit opt-in required for cross domain activity – Neither will just automagically execute Javascript • Could add code to read back the challenge token (from a custom HTTP header, perhaps), but that’s just as hard as adding a random token • Could add code to add a random header, but that’s also just as hard as adding a random token (does save us 1xRTT though) – Best possible today: Hijack the XMLHttpRequest object, such that all calls of object.send() are overloaded to add a randomized header • Should be a similar include possible with Flash’s network stack • Just figured this out though, so it might not work • But what test could we use, to determine if we should cut execution?
What about document.referrer? • Document.referrer is populated in the Browser DOM, and is read by JS, so nothing on the wire can suppress it • However, support for it across navigational types is more inconsistent than you can imagine…
Document.referrer: Beautiful, but fails compatibility across browsers
Could we tag the window object itself? • Window.name – Cookie for window, independent of domain • Window.sessionStorage – New in HTML5 – Cookie for the combination of window and domain – It’s called sessionStorage!
Problem: Window Handles • foo = window.open(“http://www.bank.com”); • While an attacker cannot read cross domain, he can navigate the window arbitrarily – So we’ve gone from “attacker URL, user cookie” to “attacker URL, user window, user cookie” • It doesn’t help to tag the window, because the attacker can drag our window wherever it needs to be – sessionStorage can’t save us 
Perspective • There are major arguments over whether vector graphics should be animatable • Meanwhile we can’t safely log into websites
Engineering Requirements • 1) No work for developers on a per-URL basis, – There are just too many to hunt down • 2) Both client and server should be able to differentiate in-session and out-of-session requests • 3) Single Sign On support – “friendly” sites need to be able to log you into anything • 4) Bookmarks and Top Level Navigation events must be seen as authenticated (presuming cookies are still live)
One Design • SessionID “Supercookie”, emitted on requests from: – Same-site nav – Top-level nav – Bookmarks – “Friend sites” • API – window.getSessions([domain]) and window.setSessionId([string], [domain]) • Google can declare a session ID context for Pandora • Pandora can see all sessions that are live, from all sources – window.addSessionFriend(domain) allows/accepts session IDs from a named domain – window.atomicnavigate(domain) should do the equivalent of interpreter suicide, by design
The Simple Implementation • On login: – window.setSessionId(“loggedin”); • Server side check: Just look for a cookie pair, “_sessionId=loggedin” • Client side check: if(window.getSessions()[0]!=‘loggedin’){ window.atomicNavigate(‘login.php’); • (Gets fancier when accepting SSO cookies, but not much fancier.)
Another Thing That’s Broken: Injection Handling • "The bottom-line is that there just isn't a large measurable difference in the security postures from language to language or framework to framework -- specifically Microsoft ASP Classic, Microsoft .NET, Java, Cold Fusion, PHP, and Perl. Sure in theory one might be significantly more secure than the others, but when deployed on the Web it's just not the case.” --Jeremiah Grossman, CTO, White Hat Security (a guy who has audited a lot of web applications) • Question: Why aren’t the type safe languages safer against web attack than the type unsafe languages?
We Aren’t Actually Using Them • Reality of web development – HTML and JavaScript and CSS and XML and SQL and PHP and C# and… – “On the web, every time you sneeze, you’re writing in a new language” • How do we communicate across all these languages? – Strings • And how type safe are strings? – Not at all
All Injections Are Type Bugs • select count(*) from foo where x=‘x' or '1'='1'; – The C# sender thinks there’s a string there. – The SQL receiver thinks there’s a string, a concatenator, another string, and comparator, and another string there. • The challenge: Maintaining type safety across language boundaries
“This is a solved problem!” • “Just escape your strings” • “Just use parameterized queries” • In different ways, both common solutions suck. – I hereby declare sucking a legitimate technical term.
What’s Wrong With Escaping • Escaping fails open. – If you forget to do it, things continue to work correctly (most of the time) – The sooner you find a problem, the less expensive the problem is • Escaping works “by coincidence” – Types are determined in parsed strings by the existence of terminators (null, quotes, parenthesis, etc.) – You hope that your escaper catches enough of them • escape() • escapeURI() • escapeURIComponent()
Unicode Will Cut You • Last year, Moxie Marlinspike and I independently broke most X.509 implementations using a NULL terminator – “Great! Everybody should know to use a RegEx to alter or alert on NULLs!” – What I didn’t say last year, was that there was at least one other character that I could have used • 0xC0 0x80 – A UTF-8 overwide NULL, vs. CryptoAPI, also terminated X.509 Common Names • You have to mark a special flag to ban overwide characters in Windows Unicode, and they didn’t. – And there are up to four other byte sequences that might also get parsed as a NULL – To say nothing about “best fit matching”, which can be different at every tier – The problem with escaping is that you are, in fact parsing – and if when you drift from the real parser, you fail
Insult To Injury • Escaping encourages the belief that regular expressions are a good idea – b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0- 5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?)b • Makes sure that an IP address is valid – /(<as(?:[^>](?!href))*hrefs*)(&(&[^;]+;)?(?:.(?!3))+( ?:3)?)([^>]+>)/ • Curtis Poe, Author: “I was strutting like a peacock when I wrote that, followed quickly by eating crow when I ran it. I never did get that working right. I'm still not sure what I was trying to do.”
What About Parameterized Queries? • Which would you rather write? – $r = $m->query(“SELECT * from foo where fname=‘$fname’ and lname=‘$lname’ and address=‘$address’ and city=‘$city’”); – $p->prepare(“SELECT * from foo where fname=‘$fname’ and lname=‘$lname’ and address=‘$address’ and city=‘$city’”); $p->set(1, $fname); $p->set(2, $lname); $p->set(3, $address); $p->set(4, $city); $r->$m->queryPrepared($p); • Hint: THIS SUCKS
Reality • Devs hate writing all this boilerplate – If they didn’t hate it, we wouldn’t have to repeatedly file bugs demanding they do it! • Stored procedures demand support from “priesthood of DBAs” in order to add functions to the database – And of course such DBA audits are necessary, because without them devs will just push in a magic procedure that can call all other procedures
What We’re Left With • They don’t escape • They don’t parameterize • We’re just left insecure – Can we do better?
What About Randomized Terminators? • Used (reasonably effectively) in MIME – ------=_NextPart_002_0186_01C89653.D38E9D10 Content- Type: text/html; charset="Windows-1252" Content- Transfer-Encoding: quoted-printable … ------=_NextPart_002_0186_01C89653.D38E9D10— – Nestable • Rather than dotting a string with backslashes and escape codes all over the place, we have a single, fairly large escape sequence at the beginning and end of attacker controlled content – This is portable to other protocols – I refer to this as “treelocking”
(Implicit) Treelocking for XML • <foo> <evil> xxx </evil> </foo> • <foo> <evil> <__treelock_EYKPRZEJ2LKF55UJ> xxx </__treelock_EYKPRZEJ2LKF55UJ> </evil> </foo> • In this situation, the attacker can inject whatever string he likes – as long as he never discovers that the escape sequence on this particular submission is EYKPRZERJ2LKF55UJ, he is stuck inside the <evil></evil> tree node
Caveats • Requires a parser that cares where in the parse tree sensitive values show up – <book> <title lang="eng">Harry Potter</title> <price>29.99</price> </book> – An xpath search for /book/title will return all titles within books. An xpath search for //title will return all titles, whether or not they are in a book. • xml.findAll(“title”) also fails – Treelocking cannot save you if you do not care if <evil> provides you sensitive system data – Schemas can save you, unless <evil> is allowed to house arbitrary XML (which it would, if it’s intended to be opaque at your layer) – This is potentially a problem for SAX parsers and naïve XML implementations – Look for this on pen tests that allow you to submit XML, or even those that accept plaintext but dump it into a n-tier web backend
The Larger Problem • Only works on languages with dynamic terminators – XML passes – JSON, LDAP, and SQL do not • What about encryption? – {“foo": { "__treelock_0": { key: "12341", locked_data: "abcdabcdabcd" } } • Realization: No actual value to the crypto – Base64, no crypto: Attacker constrained to string – Crypto, no Base64: Attacker eventually randomly hits terminators – Once again, no point to encrypting data when the key is right next to the encrypted data. Ahem. Everyone, please stop doing this.
So, JSON can be handled much like XML, but adding a de-base64 phase • Encoded: – {"test": { "__treelock_0": “ImV2aWwiIDogInRvbm90b25vIgo= " } • Decoded – {"test": { "evil" : "tonotono“ }
…and this approach can be used for other protocols, like LDAP and XML… • LDAP: ldap://localhost:389/_PL=ABCDABCDABCDABCDABCDABCDABCDABCD -> ou=ABCDABCDABCD,o=ABCDABCDABCD -> ou=People,o=JNDITutorial – Note the intentional use of multiple rounds of Base64 • XML: <foo> <evil> <__treelock_0> yru9BZ8AEIqm </__treelock> </evil> (yes, I know a CDATA section would theoretically be more XML-y)
And SQL too. • select count(*) from foo where x='x' or '1'='1'; 3 • select base64_encode("x' or '1'='1"); eCcAb3IAJzEnPScx • select count(*) from foo where x=base64_decode("eCcAb3IAJzEnPScx"); 0
Alternate Encoding Scheme Discussion (I’m sure this isn’t the first) • “I think that easy way to protect against SQL injection is to convert inputted data into binary format, so that whatever input is, in sql query it will consist only of 1s and 0s.” – Dark.avenger@email.cz, 14-Aug-2008 • “If there IS a 1-to-1 correspondence, then EITHER your solution only makes it a bit harder to perform a SQL injection (a hacker would have to figure out what mapping was used between the text and the 'binary' format), OR you've come up with simply another way to escaping your data.” – jaimthorn@yahoo.com, 13-Oct-2008
Base64: The Whitelist to Escaping’s Blocklist • select count(*) from foo where x=base64_decode("eCcAb3IAJzEnPScx"); You know what eCcAb3IAJzEnPScx is not? – SQL. XML. JSON. LDAP. – So we’re type-safe going into base64_decode() • The response from base64_decode is always going to be treated as a String Literal in the parse tree of the SQL interpreter itself – Now, attacker strings are constrained to being just strings, by the engine itself – not subqueries, not extra lookups, nothing – So we’re type-safe coming out of base64_decode()
Important Note #1: The Database Never Stores Base64 Encoded Data • select count(*) from foo where x=base64_decode("eCcAb3IAJzEnPScx"); • It’s stored natively – we’re simply using Base64 between the calling language and the called language, to enforce a String type
Important Note #2: The Remote Client Doesn’t Generate The Base64 • Early binding: Variables are Base64’d right as they come off the HTTP header • Late binding: Variables are Base64’d right before they are emitted into the SQL parser • Both of these mechanisms are secure – Obviously you can’t trust the client to do the encoding
Related Work • There is some really cool related work done by Meredith Patterson called Dejector, which attempts to run a second SQL parser in front of the first one so as to operate filters there – This works well – especially as a way to execute intelligent filtering and scrubbing! – Dejector’s filters, integrated as a plugin to the actual parse tree used by the actual database, would probably be the best of both worlds – http://www.thesmartpolitenerd.com/code/dejector.html • GreenSQL seems to be a productized version of the SQL-parser- before-the-SQL-parser design; unsure if it’s a filter or a scrubber – Has had some problems in the past re: parser drift, unfortunately – Thanks Kuza55! • The primary difference of this approach is that it is aggressively trying to find a better interface to/for existing parsers
Implementation Notes • Where to get a Base6*_Encode/Decode function? – Stored Procedure • http://wi-fizzle.com/downloads/base64.sql • Not wildly fast • Embeds into database • May require DBA permission – UDF (User Defined Function) • MySQL extension, written in C • Very fast, though not as fast as an integrated function • DEFINITELY requires DBA permission, and is less portable • Need to write a good one Wrote a good one at SIGINT – No performance penalty – Integration into DB itself • Surprisingly, doesn’t already exist • Potential for much greater support across the parse tree • Would be much faster
The Challenge: Debuggability • Anyone who’s ever debugged an XML-based protocol (WS-*, ahem) with Base64-encoded blobs in CDATA sections, from a basic text editor, knows what I’m talking about – There are entire protocols that nobody has ever entirely decoded, because to do so would require key after key after key which of course notepad.exe can’t be expected to deal with – The hope of proposing unkeyed Base64 wrapping as the one true escaping mechanism is that viewers and debuggers can be modified to expect to be able to inline- decode Base6* content with nothing more than the simple algorithm
Possible Necessity • It may be necessary to adding explicit type declarations to the Base64 wrapper, so that text sweepers can find Base64 encoded blobs and autodecode them, something like: _-_STRING-AaBbCc-_-
The Hook: Ease Of Use For The Developer • Developers like string interpolation for porting variables into SQL, irrespective of security – Interpolation: $query = "select * from $table where fname='$fname' and country='$country';"; • Surprisingly, they’ll go to some interesting lengths to keep their variables near the rest of the query – Concatenation: query = "select * from " + table + " where fname = '" + fname + "' and country='" + country + "';"; – Conjecture: Fitt’s Law (from the UI world) applies to programmers – the closer data is to the code that operates on it, the faster the code can be written
Editing Interpolation Syntax • What we could advise – $query = "select * from bd($!table) where fname=bd($!fname) and country=bd($!country);“ • We could enrich interpolation syntax by adding inline Base* support • Couldn’t do this with escaping, because escapes were too specific • THERE ARE MANY WAYS OF DOING THIS, MOST OF WHICH ARE BAD. But the core idea seems clearly good – it’s a rough form of marking type – Happy programmer • Who needs to escape anyway, to support Unicode and names with apostrophes in them properly – Happy security engineer! • Maybe even happy DBA, who can enforce use of Base64 on all incoming String Literals
Summary • 1) Server Side Referer Checking can be bypassed using navigation methods in every browser • 2) There are potentially real issues with sensitive XML elements being parsed out of an attacker controlled section of a document • 3) Session management is horribly broken, and we can do better than manual token integration • 4) Base64, as a type enforcement system for strings, might actually be a really good solution for injections

More Related Content

PPT
Dmk blackops2006
byDan Kaminsky
 
PPT
Black opspki 2
byDan Kaminsky
 
PPT
Dmk bo2 k8_bh_fed
byDan Kaminsky
 
PPTX
Yet Another Dan Kaminsky Talk (Black Ops 2014)
byDan Kaminsky
 
PPTX
Interpolique
byDan Kaminsky
 
PPTX
Domain Key Infrastructure (From Black Hat USA)
byDan Kaminsky
 
PPT
Design Reviewing The Web
byamiable_indian
 
PPTX
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
byDan Kaminsky
 
Dmk blackops2006
byDan Kaminsky
 
Black opspki 2
byDan Kaminsky
 
Dmk bo2 k8_bh_fed
byDan Kaminsky
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
byDan Kaminsky
 
Interpolique
byDan Kaminsky
 
Domain Key Infrastructure (From Black Hat USA)
byDan Kaminsky
 
Design Reviewing The Web
byamiable_indian
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
byDan Kaminsky
 

What's hot

PPT
Dmk shmoo2007
byDan Kaminsky
 
PPTX
Black ops 2012
byDan Kaminsky
 
PPT
Black ops of tcp2005 japan
byDan Kaminsky
 
PDF
Bh fed-03-kaminsky
byDan Kaminsky
 
PPTX
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
byDan Kaminsky
 
PPT
Dmk bo2 k8
byDan Kaminsky
 
PDF
Bh eu 05-kaminsky
byDan Kaminsky
 
PPTX
Wo defensive trickery_13mar2017
byDan Kaminsky
 
ODP
Bugs Aren't Random
byDan Kaminsky
 
PPTX
A Technical Dive into Defensive Trickery
byDan Kaminsky
 
PDF
Why isn't infosec working? Did you turn it off and back on again?
byRob Fuller
 
PDF
232 md5-considered-harmful-slides
byDan Kaminsky
 
PPTX
I Want These * Bugs Off My * Internet
byDan Kaminsky
 
PPTX
Move Fast and Fix Things
byDan Kaminsky
 
PPT
Dmk blackops2006 ccc
byDan Kaminsky
 
PPTX
Dmk sb2010 web_defense
byDan Kaminsky
 
PPTX
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
byDan Kaminsky
 
PDF
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
PDF
A @textfiles approach to gathering the world's DNS
byRob Fuller
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
Dmk shmoo2007
byDan Kaminsky
 
Black ops 2012
byDan Kaminsky
 
Black ops of tcp2005 japan
byDan Kaminsky
 
Bh fed-03-kaminsky
byDan Kaminsky
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
byDan Kaminsky
 
Dmk bo2 k8
byDan Kaminsky
 
Bh eu 05-kaminsky
byDan Kaminsky
 
Wo defensive trickery_13mar2017
byDan Kaminsky
 
Bugs Aren't Random
byDan Kaminsky
 
A Technical Dive into Defensive Trickery
byDan Kaminsky
 
Why isn't infosec working? Did you turn it off and back on again?
byRob Fuller
 
232 md5-considered-harmful-slides
byDan Kaminsky
 
I Want These * Bugs Off My * Internet
byDan Kaminsky
 
Move Fast and Fix Things
byDan Kaminsky
 
Dmk blackops2006 ccc
byDan Kaminsky
 
Dmk sb2010 web_defense
byDan Kaminsky
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
byDan Kaminsky
 
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
A @textfiles approach to gathering the world's DNS
byRob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 

Similar to Confidence web

PPT
Dmk bo2 k8_ccc
byDan Kaminsky
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
byPhilippe De Ryck
 
PPT
Web Apps Security
byVictor Bucutea
 
PPTX
Building Secure User Interfaces With JWTs
byrobertjd
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
PPTX
Cm2 secure code_training_1day_data_protection
bydcervigni
 
PPTX
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
PPTX
Owasp web application security trends
bybeched
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PPTX
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
PDF
Chapter 13 web security
bynewbie2019
 
PDF
Rails security: above and beyond the defaults
byMatias Korhonen
 
PPTX
Protecting Web App users in today’s hostile environment
byajitdhumale
 
PDF
Web Security Privacy And Commerce 2nd Edition Second Edition Simson Garfinkel
bytaraghmenti41
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PDF
Hacking Vulnerable Websites to Bypass Firewalls
byNetsparker
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PDF
Securing Your BBC Identity
byMarc Littlemore
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
Dmk bo2 k8_ccc
byDan Kaminsky
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
byPhilippe De Ryck
 
Web Apps Security
byVictor Bucutea
 
Building Secure User Interfaces With JWTs
byrobertjd
 
Making Web Development "Secure By Default"
byDuo Security
 
Cm2 secure code_training_1day_data_protection
bydcervigni
 
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
Owasp web application security trends
bybeched
 
Securing Web Applications with Token Authentication
byStormpath
 
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
Chapter 13 web security
bynewbie2019
 
Rails security: above and beyond the defaults
byMatias Korhonen
 
Protecting Web App users in today’s hostile environment
byajitdhumale
 
Web Security Privacy And Commerce 2nd Edition Second Edition Simson Garfinkel
bytaraghmenti41
 
Owasp top 10_openwest_2019
bySean Jackson
 
Hacking Vulnerable Websites to Bypass Firewalls
byNetsparker
 
Owasp top 10 2013
byEdouard de Lansalut
 
Securing Your BBC Identity
byMarc Littlemore
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 

More from Dan Kaminsky

PPT
Chicken
byDan Kaminsky
 
PPT
Chicken Chicken Chicken Chicken
byDan Kaminsky
 
PPTX
Some Thoughts On Bitcoin
byDan Kaminsky
 
PPTX
Interpolique
byDan Kaminsky
 
PPT
Bh us-02-kaminsky-blackops
byDan Kaminsky
 
PDF
Bh eu 05-kaminsky
byDan Kaminsky
 
PPT
Dmk neut toor
byDan Kaminsky
 
PPT
Dmk audioviz
byDan Kaminsky
 
PPT
Bo2004
byDan Kaminsky
 
PPT
Gwc3
byDan Kaminsky
 
PDF
Advanced open ssh
byDan Kaminsky
 
Chicken
byDan Kaminsky
 
Chicken Chicken Chicken Chicken
byDan Kaminsky
 
Some Thoughts On Bitcoin
byDan Kaminsky
 
Interpolique
byDan Kaminsky
 
Bh us-02-kaminsky-blackops
byDan Kaminsky
 
Bh eu 05-kaminsky
byDan Kaminsky
 
Dmk neut toor
byDan Kaminsky
 
Dmk audioviz
byDan Kaminsky
 
Bo2004
byDan Kaminsky
 
Gwc3
byDan Kaminsky
 
Advanced open ssh
byDan Kaminsky
 

Recently uploaded

PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Workflow and decision Automation with Flowable
bychakib ch
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 

Confidence web

  • 1.
    The Art OfRealism In Web Defense Dan Kaminsky Director of Penetration Testing IOActive
  • 2.
    Introduction • I’m DanKaminsky – This is not a talk on DNS – This is not a talk on DNSSEC – This is not a talk on X.509 – This is (mostly) not even a talk about offense • Though it’ll happen • We are here to discuss defense – Why it’s hard – Why it’s still hard – How the Web is (still!) difficult to secure in very basic ways – What technical steps can be taken to make it easier for developers to secure their sites
  • 3.
    The Web HasWon • HTML, JavaScript, and CSS are, by a wide margin, the most popular programming languages on the planet, at least for front end design – Bigger than Win32 – Bigger than Objective C – Bigger than Java – Bigger than Flash • Why install software when you can just browse to www.kayak.com?
  • 4.
    The Web HasA Security Problem • Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF) are endemic • SQL Injection is not going away – And not just SQL – XML, JSON, even LDAP is in trouble • These are not new problems. These go back a decade. Why are we still suffering them? – After all, we’ve been saying for years, use randomized tokens in URLs, and “validate your input”!
  • 5.
    The Traditional Response •“Developers are stupid and lazy.” – This is a great response – for our egos – It defines hackers as intelligent and industrious!
  • 6.
    The Reality (asI see it) • It remains too difficult to make web browsers do surprisingly simple things – “Dan, I’ve been coming to Defcon for years. I love security. But you know, it’s $50K for me to build the site, and $150K for me to get somebody to come out and secure it. Do you know anybody who will pay 4x for me to build them a site?” – Our advice for how to secure things is really amazingly expensive • Expensive in terms of dev hours • Expensive in terms of outside validation – “So?”
  • 7.
    Our Message • “Itdoesn’t matter if it’s expensive.” • “It doesn’t matter if it’s fragile.” • “It doesn’t matter if it breaks things.” • “It doesn’t matter if it doesn’t even do a great job securing things.” • It’s security! Obviously everybody has to do it! – And so instead of improving our technologies to the point where security is achievable, we spin our wheels demanding the deployment of immature defenses
  • 8.
    You may disagree. •If you think all our existing solutions are good enough, and the only problem is lazy and stupid developers (“insufficiently incentivized” if you’re an academic), nothing I can say is going to convince you otherwise. • But if you agree, then your immediate question should be: What are you recommending? – It is not enough to curse the darkness. One must praise the light!
  • 9.
    First Law OfSecuring the Web: You are not allowed to break the web. • This is a point of significant contention! – Not just about cookies. • Remember “Mogul”, the huge project centered around dealing with Marsh Ray’s TLS Renegotiation vulnerability? • Remember how it involved an enormous IETF standardization effort around a fix, and a huge amount of work? • Did you notice all the patch announcements of crypto libraries applying the renegotiation fix?
  • 10.
    The Fix IsOff By Default In Firefox • Just like I told Marsh Ray it would be. • “Note that to benefit from the fix for CVE-2009-3555 added in nss-3.12.6, Firefox 3.6 users will need to set their security.ssl.require_safe_negotiation preference to true. In Mandriva the default setting is false due to problems with some common sites.” – Mandriva Patch Notes – security.ssl.allow_unrestricted_renego_everywhere__te mporarily_available_pref Current default value: DEPENDS, see end of section The development version of Firefox (3.7-pre) uses "false" The stable releases 3.5.9 and 3.6.2 use "true" As soon as a sufficient amount of servers had a chance to upgrade, the default in stable releases will be switched to "false", too
  • 11.
    Corollary: You Can’tAfford To Wait For Everybody To Patch • “The Internet Has No Flag Days” – i.e. “OK everyone, on July 8th, 2013, we will all simultaneously stop using Internet Explorer 6” • They needed to find a way to securely downgrade for servers that didn’t support their fix. – They didn’t (maybe they couldn’t?), and ultimately, it’s now all lost effort. – When will enough internal servers patch? Never. – Hard but true.
  • 12.
    Second Law OfSecuring The Web: Defenses must meet all engineering requirements • Classical security theory: “The attacker need only find one bug, while the defender must find them all.” – This is true, but incomplete. • Updated security theory: “The attacker need only consider one engineering requirement, while the defender must balance them all.” – If your defense is not fast enough, its not good enough – If your defense is not compatible enough, its not good enough – If your defense is not reliable enough, its not good enough – If your defense is not usable enough, its not good enough – If your defense is too hard to build or deploy, its will probably not be either built nor deployed
  • 13.
    Security Is (Still!)New • Security is a new first class engineering requirement for software – Power efficiency is a new first class engineering requirement for consumer electronics – Just because the TV takes less electricity doesn’t mean it’s allowed to be any less pretty – Just because the code is more secure doesn’t mean it’s allowed to be slow • There remains surprisingly basic work to be done to facilitate security – Building a secure session context is one of those things – Lets talk about how to do that, while not screwing everything else up
  • 14.
    Session Management: Where WeStand • How web sites are logged into – 1) Credentials are supplied • Generally via a username/password form – 2) A “cookie” is supplied to the user, so they don’t have to repeatedly log in • The cookie is tied to a domain • All HTTP requests to a domain have its cookie attached • Requests that come in with these cookies are assumed to be associated with the “session” created • The above is pretty easy to code.
  • 15.
    Third Party Cookies •Unfortunately, cookies are badly designed for session management – THEY LEAK – Intent: www.bank.com links you from Page A to Page B, and you don’t have to log back in – Reality: www.badguy.com links you to the bank’s Page B, and you don’t have to log back in – Specific technical fault: Attacker-supplied URLs are allowed to mix with user-supplied Cookies
  • 16.
    The “Easy Fix” •Ban third party cookies! – “I should only emit google cookies when browsing google” • The above would break the web – All sorts of Single Sign On mechanisms would fall over • So this will never happen. – Reality is what refuses to go away when you stop believing in it.
  • 17.
    The “Real Fix”:Add Tokens By Hand • http://www.site.com/foo.php?tok en=298371231 – (Or a hidden form element in POSTs) • Tokens are about sacrificing the automatic nature of cookies for manual integration of the token in each generated URI • “Look how easy that is!” – If you just said that, you are not a web developer.
  • 18.
    Tokens Are ActuallyReally Hard • [All] application local URLs have to be rewritten for using the randomizer object. While standard HTML forms and hyperlinks pose no special challenge, prior existing JavaScript may be harder to deal with. All JavaScript functions that assign values to document.location or open new windows have to be located and modified. Also all existing onclick and onsubmit events have to be rewritten. Furthermore, HTML code might include external referenced JavaScript libraries, which have to be processed as well. Because of these problems, a web application that is protected by such a solution has to be examined and tested thoroughly. – http://www.informatik.uni- hamburg.de/SVS/papers/2006_esorics_SessionSafe.pdf
  • 19.
    Tokenizer Tricks Don’tHelp Much • Possible to automatically make relative links inherit the token – Randomized domain • 298371231.site.com • Martin Johns’ SessionSafe • That quote came from that page – Randomized path • http://www.site.com/2983712131/foo.php • Actually kind of interesting – first good use for per-path cookies! • Haven’t heard of this before, but just came up with it • Absolute links are still very expensive to manage – They’re very, very common in the field
  • 20.
    Three Possibilities • Browsersblock third party cookies – Not happening • Developers manually add tokens to each HTTP request – Barely happening • Security fails – Totally happening – The web is a mess, filled with XSS and XSRF vulnerabilities • Even on authenticated resources!
  • 21.
    A Tale OfTwo Classes Of Web Page BBC News: Needs Deep Linking Amazon.Com Shopping Cart: Needs Security From Outside Attackers
  • 22.
    On Boundaries • Mostnatural place to place boundary: Unauthenticated vs. Authenticated – Unauthenticated pages are the best landing points – Authenticated pages expose the greatest complexity • A strong session context prevents (Reflected) XSS and XSRF from executing at all – The attacker just cannot navigate to the endpoint with the bug – Making entire families of bugs unexploitable is always a good thing  – If even the unauthenticated landing points have sufficient complexity that they’re likely to be XSSable, then www.foo.com can be 302 Redirected to public.foo.com or even www.foopublic.com.
  • 23.
    Question • Is itpossible to get secure sessions, without having to manually append a token to each request?
  • 24.
    The Most CommonAttempt: Server-Side Referrer Checking • HTTP requests can contain a “Referer” field, which is supposed to describe the URL of the page that sourced the request for a particular asset – Yes, it’s misspelled in the standard • It is possible for an HTTP server to examine every request that comes in with an authenticated Cookie, and see if it also comes in with a Referer header from the same site • Many Content Management Systems have attempted to use Referer checking to stop XSRF and related attacks – Developers, finding a defensive technology that is easy and nondisruptive to implement, will actually do the work!
  • 25.
    But Wait… • Wetell them not to do this, for “Security Reasons” – “Referer headers can be spoofed using XMLHTTP and by using flash as demonstrated by Amit Klein and rapid7 and therefore cannot be trusted.” • http://www.cgisecurity.com/csrf-faq.html
  • 26.
    Actually. • Amit etal fixed this years ago • There is no known mechanism for causing a browser to emit an arbitrary Referer header, and hasn’t been for quite some time. – More importantly, if one is found, it’s fixed, just like a whole host of other browser bugs • So can we use this?
  • 27.
    The Real ReasonYou Can’t Depend On Server-Side Referrer: Appcompat • There are many mechanisms that result in web browsers navigating from page to page – Follow an anchor – Change document.location.href – Follow a 302 redirect – Follow a <meta http-equiv=“refresh”> link – Window.open • Referer header inconsistently attached – some methods have the header, some don’t – Differs by browser – Really differs by plugin
  • 28.
    …and that’s withoutthe “security tools” butting in • http://codex.wordpress.org/Enable_Sending_Referrers -- how to make Wordpress administration work (at least for 2.0x) if you have any of the following installed: – Norton Internet Security, Norton Personal, NetBarrier, SyGate Firewall, Kerio Firewall 4, Zone Alarm Pro, Agnitum Outpost Firewall Pro 2008, McAfee, Privoxy, etc. • And that’s to say nothing about network proxies like Squid, from which about one fifth of HTTP requests are sourced • Most blocking is there to protect privacy interests or to protect against Dynamic XSRF attacks, which is reasonable, but it applies even to Referer headers for the same site – One security technology interfering with another security technology? Impossible!
  • 29.
    Fail Open OpenlyFailing • “Can’t we just enforce XSRF protections if there’s a Referer header, and allow the user in anyway (fail open) if the header is missing?” – This is actually the policy of a some CMS’s in the field  – Since there are navigation types that suppress Referer even on unfiltered hosts (<meta http- equiv=“refresh”>) they’re exposed. • See also, HTTPS->HTTP Referer suppression, which is an intentional feature to prevent full URI leakage from the secure context (thanks David Ross, Sirdarckat)
  • 30.
    What About TheOrigin Header? • Attempt to “redo” Referer, this time for security • Unfortunately, it’s a little complicated… – Red is when Origin doesn’t work – Green is when Origin does work
  • 32.
    NEVER DO THATTO A DEV • Origin header tried to incorporate an overly complex security model • Result is that it’s effectively random when the header is applied – Makes sense if you’re writing a social networking application, but that’s about it • Workaround is to rewrite/audit all the links on your site – *facepalm*
  • 33.
    Can We GoClient Side? • Remember, the client has the actual context, the server only gets what the client happens to put on the wire • Challenge: Can we make it so a violated session aborts? – www.badguy.com opens a window to www.bank.com/badurl. Server supplies the malicious URL, but the client uses Javascript to suppress execution – This would stop XSS
  • 34.
    Interpreter Suicide • Generalidea: Preface all potentially attacker controlled HTML with a <script> that detects (we’ll talk about how later) cross-site navigation • If such is detected, we assume there might be something unsafe later in the the bytestream, and we have to prevent the Javascript/HTML interpreter from ever reaching it • “We put code at byte 500 so that byte 20000 never executes”
  • 35.
    Example • <script> dest=“http://www.cnn.com”; document.location.href=dest; //Renavigate document.body.innerHTML='';//Replace while(document.body.innerHTML!=''){ x++;} //Repeat alert(dest); // never reached </script> <script>alert(1);</script> NEVER REACHED
  • 36.
    What’s Going On •Renavigation: Assign document.location.href to a safe landing page – Fires an event to cause the window to navigate – Does not necessarily stop the existing parse thread • Replacement: Assign document.body.innerHTML=“” – Replaces the object into which content was being streamed • Repetition: Prevent the script block from returning – Internal: while(1){ i=0; } – External: Add a dependency on a synchronous call that actually does block the interpreter for a nonzero amount of time • What doesn’t work: Releasing – Calling a nonexistent function only temporarily stops interpretation – VBScript may still run, along with code in IFRAMEs • (Thanks, Brandon Creighton!)
  • 37.
    Why This Works(and it does work) • <script> var foo=1; </script> <script> alert(foo); </script> • The first script block must return before the second script block is allowed to execute – in other words, all functionally correct JS interpreters must parse HTML blocks linearly
  • 38.
    What about XSRF? •Cross Site Request Forgery doesn’t care about the reply – the reply can be ignored, it’s the request (when mixed with the user’s cookie) that’s the source of pain – What if the reply to the REST endpoint was itself a batch of JS? And this batch contained a in-session challenge that, if passed, would result in a second query with a proper XSRF token? – What if we only did this, if the requestor’s User-Agent was a browser? • Performance impact: 1xRTT (One HTTP round trip)
  • 39.
    Appcompat • Compatibility impact:Some problems with XMLHttpRequest and Flash – Both look like browsers, since they “borrow” the browser’s HTTP stack – Both are mostly same-domain only, with explicit opt-in required for cross domain activity – Neither will just automagically execute Javascript • Could add code to read back the challenge token (from a custom HTTP header, perhaps), but that’s just as hard as adding a random token • Could add code to add a random header, but that’s also just as hard as adding a random token (does save us 1xRTT though) – Best possible today: Hijack the XMLHttpRequest object, such that all calls of object.send() are overloaded to add a randomized header • Should be a similar include possible with Flash’s network stack • Just figured this out though, so it might not work • But what test could we use, to determine if we should cut execution?
  • 40.
    What about document.referrer? •Document.referrer is populated in the Browser DOM, and is read by JS, so nothing on the wire can suppress it • However, support for it across navigational types is more inconsistent than you can imagine…
  • 41.
    Document.referrer: Beautiful, butfails compatibility across browsers
  • 42.
    Could we tagthe window object itself? • Window.name – Cookie for window, independent of domain • Window.sessionStorage – New in HTML5 – Cookie for the combination of window and domain – It’s called sessionStorage!
  • 43.
    Problem: Window Handles •foo = window.open(“http://www.bank.com”); • While an attacker cannot read cross domain, he can navigate the window arbitrarily – So we’ve gone from “attacker URL, user cookie” to “attacker URL, user window, user cookie” • It doesn’t help to tag the window, because the attacker can drag our window wherever it needs to be – sessionStorage can’t save us 
  • 44.
    Perspective • There aremajor arguments over whether vector graphics should be animatable • Meanwhile we can’t safely log into websites
  • 45.
    Engineering Requirements • 1)No work for developers on a per-URL basis, – There are just too many to hunt down • 2) Both client and server should be able to differentiate in-session and out-of-session requests • 3) Single Sign On support – “friendly” sites need to be able to log you into anything • 4) Bookmarks and Top Level Navigation events must be seen as authenticated (presuming cookies are still live)
  • 46.
    One Design • SessionID“Supercookie”, emitted on requests from: – Same-site nav – Top-level nav – Bookmarks – “Friend sites” • API – window.getSessions([domain]) and window.setSessionId([string], [domain]) • Google can declare a session ID context for Pandora • Pandora can see all sessions that are live, from all sources – window.addSessionFriend(domain) allows/accepts session IDs from a named domain – window.atomicnavigate(domain) should do the equivalent of interpreter suicide, by design
  • 47.
    The Simple Implementation •On login: – window.setSessionId(“loggedin”); • Server side check: Just look for a cookie pair, “_sessionId=loggedin” • Client side check: if(window.getSessions()[0]!=‘loggedin’){ window.atomicNavigate(‘login.php’); • (Gets fancier when accepting SSO cookies, but not much fancier.)
  • 48.
    Another Thing That’sBroken: Injection Handling • "The bottom-line is that there just isn't a large measurable difference in the security postures from language to language or framework to framework -- specifically Microsoft ASP Classic, Microsoft .NET, Java, Cold Fusion, PHP, and Perl. Sure in theory one might be significantly more secure than the others, but when deployed on the Web it's just not the case.” --Jeremiah Grossman, CTO, White Hat Security (a guy who has audited a lot of web applications) • Question: Why aren’t the type safe languages safer against web attack than the type unsafe languages?
  • 49.
    We Aren’t ActuallyUsing Them • Reality of web development – HTML and JavaScript and CSS and XML and SQL and PHP and C# and… – “On the web, every time you sneeze, you’re writing in a new language” • How do we communicate across all these languages? – Strings • And how type safe are strings? – Not at all
  • 50.
    All Injections AreType Bugs • select count(*) from foo where x=‘x' or '1'='1'; – The C# sender thinks there’s a string there. – The SQL receiver thinks there’s a string, a concatenator, another string, and comparator, and another string there. • The challenge: Maintaining type safety across language boundaries
  • 51.
    “This is asolved problem!” • “Just escape your strings” • “Just use parameterized queries” • In different ways, both common solutions suck. – I hereby declare sucking a legitimate technical term.
  • 52.
    What’s Wrong WithEscaping • Escaping fails open. – If you forget to do it, things continue to work correctly (most of the time) – The sooner you find a problem, the less expensive the problem is • Escaping works “by coincidence” – Types are determined in parsed strings by the existence of terminators (null, quotes, parenthesis, etc.) – You hope that your escaper catches enough of them • escape() • escapeURI() • escapeURIComponent()
  • 53.
    Unicode Will CutYou • Last year, Moxie Marlinspike and I independently broke most X.509 implementations using a NULL terminator – “Great! Everybody should know to use a RegEx to alter or alert on NULLs!” – What I didn’t say last year, was that there was at least one other character that I could have used • 0xC0 0x80 – A UTF-8 overwide NULL, vs. CryptoAPI, also terminated X.509 Common Names • You have to mark a special flag to ban overwide characters in Windows Unicode, and they didn’t. – And there are up to four other byte sequences that might also get parsed as a NULL – To say nothing about “best fit matching”, which can be different at every tier – The problem with escaping is that you are, in fact parsing – and if when you drift from the real parser, you fail
  • 54.
    Insult To Injury •Escaping encourages the belief that regular expressions are a good idea – b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0- 5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?)b • Makes sure that an IP address is valid – /(<as(?:[^>](?!href))*hrefs*)(&(&[^;]+;)?(?:.(?!3))+( ?:3)?)([^>]+>)/ • Curtis Poe, Author: “I was strutting like a peacock when I wrote that, followed quickly by eating crow when I ran it. I never did get that working right. I'm still not sure what I was trying to do.”
  • 55.
    What About ParameterizedQueries? • Which would you rather write? – $r = $m->query(“SELECT * from foo where fname=‘$fname’ and lname=‘$lname’ and address=‘$address’ and city=‘$city’”); – $p->prepare(“SELECT * from foo where fname=‘$fname’ and lname=‘$lname’ and address=‘$address’ and city=‘$city’”); $p->set(1, $fname); $p->set(2, $lname); $p->set(3, $address); $p->set(4, $city); $r->$m->queryPrepared($p); • Hint: THIS SUCKS
  • 56.
    Reality • Devs hatewriting all this boilerplate – If they didn’t hate it, we wouldn’t have to repeatedly file bugs demanding they do it! • Stored procedures demand support from “priesthood of DBAs” in order to add functions to the database – And of course such DBA audits are necessary, because without them devs will just push in a magic procedure that can call all other procedures
  • 57.
    What We’re LeftWith • They don’t escape • They don’t parameterize • We’re just left insecure – Can we do better?
  • 58.
    What About RandomizedTerminators? • Used (reasonably effectively) in MIME – ------=_NextPart_002_0186_01C89653.D38E9D10 Content- Type: text/html; charset="Windows-1252" Content- Transfer-Encoding: quoted-printable … ------=_NextPart_002_0186_01C89653.D38E9D10— – Nestable • Rather than dotting a string with backslashes and escape codes all over the place, we have a single, fairly large escape sequence at the beginning and end of attacker controlled content – This is portable to other protocols – I refer to this as “treelocking”
  • 59.
    (Implicit) Treelocking forXML • <foo> <evil> xxx </evil> </foo> • <foo> <evil> <__treelock_EYKPRZEJ2LKF55UJ> xxx </__treelock_EYKPRZEJ2LKF55UJ> </evil> </foo> • In this situation, the attacker can inject whatever string he likes – as long as he never discovers that the escape sequence on this particular submission is EYKPRZERJ2LKF55UJ, he is stuck inside the <evil></evil> tree node
  • 60.
    Caveats • Requires aparser that cares where in the parse tree sensitive values show up – <book> <title lang="eng">Harry Potter</title> <price>29.99</price> </book> – An xpath search for /book/title will return all titles within books. An xpath search for //title will return all titles, whether or not they are in a book. • xml.findAll(“title”) also fails – Treelocking cannot save you if you do not care if <evil> provides you sensitive system data – Schemas can save you, unless <evil> is allowed to house arbitrary XML (which it would, if it’s intended to be opaque at your layer) – This is potentially a problem for SAX parsers and naïve XML implementations – Look for this on pen tests that allow you to submit XML, or even those that accept plaintext but dump it into a n-tier web backend
  • 61.
    The Larger Problem •Only works on languages with dynamic terminators – XML passes – JSON, LDAP, and SQL do not • What about encryption? – {“foo": { "__treelock_0": { key: "12341", locked_data: "abcdabcdabcd" } } • Realization: No actual value to the crypto – Base64, no crypto: Attacker constrained to string – Crypto, no Base64: Attacker eventually randomly hits terminators – Once again, no point to encrypting data when the key is right next to the encrypted data. Ahem. Everyone, please stop doing this.
  • 62.
    So, JSON canbe handled much like XML, but adding a de-base64 phase • Encoded: – {"test": { "__treelock_0": “ImV2aWwiIDogInRvbm90b25vIgo= " } • Decoded – {"test": { "evil" : "tonotono“ }
  • 63.
    …and this approachcan be used for other protocols, like LDAP and XML… • LDAP: ldap://localhost:389/_PL=ABCDABCDABCDABCDABCDABCDABCDABCD -> ou=ABCDABCDABCD,o=ABCDABCDABCD -> ou=People,o=JNDITutorial – Note the intentional use of multiple rounds of Base64 • XML: <foo> <evil> <__treelock_0> yru9BZ8AEIqm </__treelock> </evil> (yes, I know a CDATA section would theoretically be more XML-y)
  • 64.
    And SQL too. •select count(*) from foo where x='x' or '1'='1'; 3 • select base64_encode("x' or '1'='1"); eCcAb3IAJzEnPScx • select count(*) from foo where x=base64_decode("eCcAb3IAJzEnPScx"); 0
  • 65.
    Alternate Encoding SchemeDiscussion (I’m sure this isn’t the first) • “I think that easy way to protect against SQL injection is to convert inputted data into binary format, so that whatever input is, in sql query it will consist only of 1s and 0s.” – Dark.avenger@email.cz, 14-Aug-2008 • “If there IS a 1-to-1 correspondence, then EITHER your solution only makes it a bit harder to perform a SQL injection (a hacker would have to figure out what mapping was used between the text and the 'binary' format), OR you've come up with simply another way to escaping your data.” – jaimthorn@yahoo.com, 13-Oct-2008
  • 66.
    Base64: The Whitelistto Escaping’s Blocklist • select count(*) from foo where x=base64_decode("eCcAb3IAJzEnPScx"); You know what eCcAb3IAJzEnPScx is not? – SQL. XML. JSON. LDAP. – So we’re type-safe going into base64_decode() • The response from base64_decode is always going to be treated as a String Literal in the parse tree of the SQL interpreter itself – Now, attacker strings are constrained to being just strings, by the engine itself – not subqueries, not extra lookups, nothing – So we’re type-safe coming out of base64_decode()
  • 67.
    Important Note #1:The Database Never Stores Base64 Encoded Data • select count(*) from foo where x=base64_decode("eCcAb3IAJzEnPScx"); • It’s stored natively – we’re simply using Base64 between the calling language and the called language, to enforce a String type
  • 68.
    Important Note #2:The Remote Client Doesn’t Generate The Base64 • Early binding: Variables are Base64’d right as they come off the HTTP header • Late binding: Variables are Base64’d right before they are emitted into the SQL parser • Both of these mechanisms are secure – Obviously you can’t trust the client to do the encoding
  • 69.
    Related Work • Thereis some really cool related work done by Meredith Patterson called Dejector, which attempts to run a second SQL parser in front of the first one so as to operate filters there – This works well – especially as a way to execute intelligent filtering and scrubbing! – Dejector’s filters, integrated as a plugin to the actual parse tree used by the actual database, would probably be the best of both worlds – http://www.thesmartpolitenerd.com/code/dejector.html • GreenSQL seems to be a productized version of the SQL-parser- before-the-SQL-parser design; unsure if it’s a filter or a scrubber – Has had some problems in the past re: parser drift, unfortunately – Thanks Kuza55! • The primary difference of this approach is that it is aggressively trying to find a better interface to/for existing parsers
  • 70.
    Implementation Notes • Whereto get a Base6*_Encode/Decode function? – Stored Procedure • http://wi-fizzle.com/downloads/base64.sql • Not wildly fast • Embeds into database • May require DBA permission – UDF (User Defined Function) • MySQL extension, written in C • Very fast, though not as fast as an integrated function • DEFINITELY requires DBA permission, and is less portable • Need to write a good one Wrote a good one at SIGINT – No performance penalty – Integration into DB itself • Surprisingly, doesn’t already exist • Potential for much greater support across the parse tree • Would be much faster
  • 71.
    The Challenge: Debuggability •Anyone who’s ever debugged an XML-based protocol (WS-*, ahem) with Base64-encoded blobs in CDATA sections, from a basic text editor, knows what I’m talking about – There are entire protocols that nobody has ever entirely decoded, because to do so would require key after key after key which of course notepad.exe can’t be expected to deal with – The hope of proposing unkeyed Base64 wrapping as the one true escaping mechanism is that viewers and debuggers can be modified to expect to be able to inline- decode Base6* content with nothing more than the simple algorithm
  • 72.
    Possible Necessity • Itmay be necessary to adding explicit type declarations to the Base64 wrapper, so that text sweepers can find Base64 encoded blobs and autodecode them, something like: _-_STRING-AaBbCc-_-
  • 73.
    The Hook: EaseOf Use For The Developer • Developers like string interpolation for porting variables into SQL, irrespective of security – Interpolation: $query = "select * from $table where fname='$fname' and country='$country';"; • Surprisingly, they’ll go to some interesting lengths to keep their variables near the rest of the query – Concatenation: query = "select * from " + table + " where fname = '" + fname + "' and country='" + country + "';"; – Conjecture: Fitt’s Law (from the UI world) applies to programmers – the closer data is to the code that operates on it, the faster the code can be written
  • 74.
    Editing Interpolation Syntax •What we could advise – $query = "select * from bd($!table) where fname=bd($!fname) and country=bd($!country);“ • We could enrich interpolation syntax by adding inline Base* support • Couldn’t do this with escaping, because escapes were too specific • THERE ARE MANY WAYS OF DOING THIS, MOST OF WHICH ARE BAD. But the core idea seems clearly good – it’s a rough form of marking type – Happy programmer • Who needs to escape anyway, to support Unicode and names with apostrophes in them properly – Happy security engineer! • Maybe even happy DBA, who can enforce use of Base64 on all incoming String Literals
  • 75.
    Summary • 1) ServerSide Referer Checking can be bypassed using navigation methods in every browser • 2) There are potentially real issues with sensitive XML elements being parsed out of an attacker controlled section of a document • 3) Session management is horribly broken, and we can do better than manual token integration • 4) Base64, as a type enforcement system for strings, might actually be a really good solution for injections