Upload
elisabeth-preston
View
214
Download
0
Embed Size (px)
Citation preview
Ethics
• Only hack into sites you own– Or you have permission
• Popular sites may have bug bounty program– Facebook– github– Google
• You will get caught
Doupé - 11/24/14
Many Vulnerabilities
• Cross-Site Scripting (XSS)• SQL Injection• Cross-Site Request Forgery (XSRF)• HTTP Parameter Pollution (HPP)• Command Injection• Parameter Manipulation• File Exposure• Directory Traversal• Forced Browsing• Logic Flaws• Execution After Redirect (EAR)
Doupé - 11/24/14
Many Vulnerabilities
• Cross-Site Scripting (XSS)• SQL Injection• Cross-Site Request Forgery (XSRF)• HTTP Parameter Pollution (HPP)• Command Injection• Parameter Manipulation• File Exposure• Directory Traversal• Forced Browsing• Logic Flaws• Execution After Redirect (EAR)
Doupé - 11/24/14
HTTP Client Request
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: www.facebook.com
Accept: */*
Doupé - 11/24/14
HTTP Server ResponseHTTP/1.1 200 OKExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT; Max-Age=63072000; path=/; domain=.facebook.com; httponlySet-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.facebook.comSet-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.comSet-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.comContent-Type: text/html; charset=utf-8 <!DOCTYPE html><html lang="en" id="facebook" class="no_js"><head><script>... </script><title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title>
Doupé - 11/24/14
JavaScript
• Makes the page dynamic
• Full control over page– Layout– Asynchronous requests– Event handlers
• Code from the website running on your browser
Doupé - 11/24/14
Same Origin Policy
• Browser JavaScript Security Policy
• (protocol, host, port)
https://www.facebook.com/(https, www.facebook.com, 443)
http://www.cnn.com/(http, www.cnn.com, 80)
Doupé - 11/24/14
Same Origin Policy
• Cookies (document.cookie)
• DOM
• localStorage
• XMLHttpRequests
• img
Doupé - 11/24/14
Cross-Site Scripting (XSS)
• Malicious JavaScript running in the context of your web application
Doupé - 11/24/14
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html> <body> <p>Hello <?= $name ?></p> </body></html>
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html> <body> <p>Hello adam</p> </body></html>
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html> <body> <p>Hello adam</p> </body></html>
Doupé - 11/24/14
http://example.com/test.php?name=<script>alert(‘xss’)</script>
<html> <body> <p>Hello <?= $name ?></p> </body></html>
Doupé - 11/24/14
<html> <body> <p>Hello <script>alert(‘xss’)</script></p> </body></html>
http://example.com/test.php?name=<script>alert(‘xss’)</script>
Doupé - 11/24/14
<html> <body> <p>Hello <script>alert(‘xss’)</script></p> </body></html>
http://example.com/test.php?name=<script>alert(‘xss’)</script>
Exploits – Phishing
• Malicious JavaScript can completely control the DOM
• Change current page to login page where the login sends credentials to the attacker
Doupé - 11/24/14
Exploits – Session Theft
• HTTP is session-less– No HTTP-native way to tie requests to the
same user
• Web applications typically use cookies to create a session– Session describes who the user is, if they’ve
passed authentication
• JavaScript has access to cookies…
Doupé - 11/24/14
Exploits – Unauthorized Actions
• JavaScript can make requests to the web application– Browser sends cookies– Appears as if the user made the request
(clicked the link or filled out the form)
• Malicious JavaScript can make requests to the web application on your behalf
Doupé - 11/24/14
Exploits – Worms
• Stored XSS vulnerability + Unauthorized Actions– Self-propagating worm
• Social networks particularly susceptible– “samy is my hero” (2005)– Tweetdeck (2014)
Doupé - 11/24/14
XSS – Prevention
• Sanitize all user inputs using known sanitization routine
• Depends on where output is in HTML page– < and > necessary in HTML– Only need ‘ in JavaScript
Doupé - 11/24/14
<html><script> var test = “<?= $name ?>”;</script><div <?= $name ?>>< << %27http://example.com/?adam=$nameonload=“javascript:alert(xss);”“”alert(‘xss’);//”
Doupé - 11/24/14
Tools
• Browser Developer Tools
• Wireshark
• Burp Proxy
• SQLMap
• OWASP Broken Web Apps Project
• Google Gruyere
Doupé - 11/24/14