CSE484/CSE584
BASIC WEB SECURITY MODEL
Dr. Benjamin Livshits Web Security
Web Attacker
Sets up malicious site visited by victim; no control of network
Alice Network Security
Network Attacker
Intercepts and controls network communication
Alice Web Malware Attacker
Malware Attacker
Escapes the browser to wreak havoc on Alice’s machine
Alice Web Threat Models
Web attacker Control https://attacker.com Can obtain SSL/TLS certificate for https://attacker.com User visits attacker.comThis is what connects the world Or: runs attacker’s Facebook app, etc. of web attacks to low-level Network attacker memory-based exploitation Passive: Wireless eavesdropper we’ve seen so far Active: Evil router, DNS poisoning
Malware attacker Attacker escapes browser isolation mechanisms and run separately under control of OS Goals of Web Security
Safely browse the web Support secure web applications
Users should be able to Applications delivered over We willthe see web a lot should have the visit a variety of web of Java sameand PHP security properties sites, without incurring and JavaScript,we require for stand-alone applications harm: but not C or C++ No stolen information such as login credentials or Maybe even better properties because most cookies web applications enjoy the Site A cannot compromise protection provided by session at Site B memory-safe languages Looking Ahead
HTTP Communication Rendering content Navigation Cookies Security User Interface Isolation Frames and frame busting HTTP URLs or URIs
Global identifiers of network-retrievable documents
Example: https://courses.cs.washington.edu:80/courses/cse484/14au/#schedule
Protocol Fragment
Hostname Port Path
Special characters are encoded as hex: %0A = newline %20 or + = space, %2B = + (special exception) Short and Long URLs
10
Bit.ly: http://bit.ly/1vEIGks
http://longurlmaker.com: http://www.longurlmaker.com/go?id=7continuedg20fIs.gd0GetShortyagl56001drawn%2Boutu6lingeringShortlinksX .sestretchedd7lingeringzc8faraway0UrlTeajbstretched15jcontinued011expanded86v3stretchedqdXil40ShortenURLk Xilz401spun%2Boutq54bextensiveShrtndwoutstretched151TinyLinkcontinued2lastingdltallaU76nr0h61g5aIs.gdd01 41cMooURL085ShortURLcShortenURL40stretchrangyXil3p17hSitelutionsuwURLvi1enlargedc03743186701Dwarfurl 4aefwextensive0EasyURL315continuedbprotractedb19GetShorty2SHurl171enduring038r8bURLviremote6URL1Shor tURLspun%2Boutelongated0aX.seoutstretched0d4distantSimURL27highd418olasting9ShoterLink8stretchedoSHurl4 lankydrawn%2Bout0drawn%2Boutlofty19a2kenduringShortenURLxs0spread%2Bout9distantFly2d10101great0w78 NutshellURL190Minilienstretchedn0stretchd0ShortenURL0enlargedtallX.seelongated9URL.co.ukspun%2BoutURLvi8 e1012Shim00Ulimit7lasting3Shim034far%2Boff47spun%2Bout17nwelongated17a99eeexpandedtallm9MooURL1dr emote46URL11NutshellURLStartURLb5itall40c6Shrinkr0Fly2lasting91n8clengthened51X.se5Minilien2ShredURLBea m.to99continued131G8L1ffarawaycontinued0distantrangy7c04964300315a2RubyURLfU76154j1roh82lengthened0 faraway1z4outstretched1lr1B654301URL09stringyq8ShrinkURL184h7Dwarfurldrunningloftylingering18spread%2Bo ut68101ShortURL10kalengthy9B653ab41fextensive0prolonged7p11expandedprolongedremotec2Minilien0dB65str etchingarfaraway3extensive1yclnk.in9lankygreat50TightURL173cURL.co.ukmba2049815920prolonged8fprotractedf 0stringy6i164eelongatedMiniliene9elongated0PiURL1488gd2020a30far%2Breachinglengthy216d411t691elongate1 6extensived0drawn%2Bout11lankyYepItB65Shim31extensiveURLCutterShim99GetShorty1042Fly2af0e8protractede longatey0111563FhURL9c3TinyURLn8toweringDwarfurl10d6350c5TightURL3lnk.in03Shrtnd6g0lingering18gangling prolonged8astringy7StartURL100TraceURLSmallr01drawn%2Bout60ganglingstringy80Beam.tocdistantsG8LX.sedra wn%2Boutedrawn%2Bouty040SitelutionsU7601drawn%2Bout6f53A2N2lasting1194stretchinggangling20lnk.inURLC utter135b80b3ShortURL6far%2Boffm013q515deep8WapURLShrinkURLd410090lnk.infar%2Boff701far%2Boff96ling ering8a6x38118Redirxfar%2Breaching1stretched0protracted16t0l21130b90106zShoterLink967Smallr9R HTTP Request
Method File HTTP version Headers
GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats
Blank line Data – none for GET
GET : no side effect POST : possible side effect POST
12 POST /pass.php HTTP/1.1
Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://127.0.0.1/pass.php Cookie: passx=87e8af376bc9d9bfec2c7c0193e6af70; PHPSESSID=l9hk7mfh0ppqecg8gialak6gt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 username=zurfyx&pass=password Automation with CURL
13 curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/when.cgi
curl --data-urlencode "name=I am Daniel" http://www.example.com
Submit/POST binary data to a URL curl -X POST --data-binary @myfile.bin http://foo.com HTTP Response
HTTP version Status code Reason phrase Headers
HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Data Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543
Some data... blah, blah, blah
Cookies Common HTTP Codes
15 200 OK 401 Unauthorized 300 Multiple Choices 403 Forbidden 301 Moved Permanently 404 Not Found 302 Found 410 Gone 304 Not Modified 500 Internal Server Error 307 Temporary Redirect 501 Not Implemented 400 Bad Request 503 Service Unavailable 550 Permission denied Browser Tools
16 Watch the HTTP Traffic
17 HTTP Supports Caching
18 And Responses Can Be Interesting
19 And Surprising…
20 Interacting with Google using CURL
21 1. Authenticate with Google first
curl https://www.google.com/accounts/ClientLogin --data- urlencode [email protected] --data-urlencode Passwd=yourpasswd -d accountType=GOOGLE -d source=your.org-your.service- your.service.version -d service=wise SID=DQAAANcAAABjXXX; LSID=DQAAANoAXXX; Auth=DQAAANkAXXX
2. Get your spreadsheets
curl --silent --header "Authorization: GoogleLogin auth=DQAAANkAXXX" "https://spreadsheets.google.com/feeds/spreadsheets/private/full " | tidy -xml -indent -quiet
3. Get a particular spreadsheet
curl --silent --header "Authorization: GoogleLogin auth=$AUTH" "https://spreadsheets.google.com/feeds/download/spreadsheets/Exp ort?key=$KEY&exportFormat=tsv" | sort -n -k 15 -t $'\t' Rendering Content Rendering and Events
Each browser window Events can be or frame… User actions: Loads content OnClick Renders it OnMouseover Processes HTML and Rendering: scripts to display page OnLoad May involve images, OnBeforeUnload sub-frames, etc. Timing: Responds to events setTimeout() clearTimeout() Connecting it All Together
24 Slightly More Complex…
25 Document Object Model (DOM)
Object-oriented interface used to read and write docs Web page in HTML is structured data DOM provides representation of this hierarchy
Includes Browser Object Model (BOM) window document frames[] history location navigator (type and version of browser) Deep DOM Trees
27 Pre-Year 2000
28
frame Pre-Year 2000: Functionality Added Via JavaScript 29
frame Changing HTML using JavaScript, DOM
Some possibilities createElement(elementName) HTML createTextNode(text)
- Item 1 appendChild(newChild)
Example: Add a new list item:
var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext) HTML Image Tags
31 …
…
… … Any security issues? Image Beacons32 Communicate with other sites
Hide resulting image
Spoof other sites: add logos that fool a user Beacons in Practice
33 onError in JavaScript
34
Triggered in case of error Can register a JavaScript handler Port Scanning Behind A Firewall
JavaScript can: Request images from internal IP addresses Example: Use timeout/onError to determine success/failure Fingerprint webapps using known image names
Server 1) “show me dancing pigs!” scan
Malicious 2) “check this out” Web page
scan 3) port scan results Browser scan
Firewall 36
Break… Cookies: Client State
37 Cookies: Browser State
POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL)
Browser POST … Server Cookie: NAME = VALUE
HTTP is stateless protocol; cookies add state Cookie-Based Authentication
Browser Web Server Auth server
POST login.cgi Username & pwd Validate user
Set-cookie: auth=val auth=val Store val
GET restricted.html Cookie: auth=val restricted.html auth=val Check val
If YES, YES/NO restricted.html Cookie Security Policy
Uses: User authentication Personalization User tracking: e.g. Doubleclick (3rd party cookies)
Browser will store: At most 20 cookies/site, 3 KB / cookie
Origin is the tuple
41 Secure Cookies
GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; Secure=true
Provides confidentiality against network attacker
Browser will only send cookie back over HTTPS
No integrity Can rewrite secure cookies over HTTP Network attacker can rewrite secure cookie Can log user into attacker’s account A Real Secure Set-Cookie Request
43 httpOnly Cookies
GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly
Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS
… but does not stop most other risks of XSS bugs