CSC443:WebProgrammingLECTURE19:WEBSECURITY

Ourcurrentviewofsecurity• untilnow,wehaveassumed:

• validuserinput

• non-malicioususers

• nothingwillevergowrong

• thisisunrealistic!

Therealworld• inordertowritesecurecode,wemustassume:

• invalidinput

• evilusers

• incompetentusers

• everythingthatcangowrong,willgowrong

• everybodyisouttogetyou

• botnets,hackers,scriptkiddies,KGB,etc.areoutthere

• thesecuritymindset: assumenothing;trustnoone

Attackers'goals• Whywouldanattackertargetmysite?• Readprivatedata (usernames,passwords,creditcard

numbers,grades,prices)• Changedata (changeastudent'sgrades,pricesofproducts,

passwords)• Spoofing (pretendingtobesomeonetheyarenot)• Damageorshutdownthesite,sothatitcannotbe

successfullyusedbyothers• Harmthereputationorcredibility oftheorganizationrunning

thesite• Spreadviruses andothermalware

ToolsthatattackersuseAssumethattheattackerknowsaboutwebdev andhasthesametoolsyouhave:

• Firebug

• extensionse.g. WebDev Toolbar

• portscanners,e.g. nmap

• networksniffers,e.g. Wireshark, EtherDetect, Firesheep

Somekindsofattacks• DenialofService(DoS):Makingaserverunavailablebybombardingitwithrequests.• SocialEngineering:Trickingauserintowillinglycompromisingthesecurityofasite(e.g.

phishing).• PrivilegeEscalation:Causingcodetorunasa"privileged"context(e.g."root").• InformationLeakage:Allowinganattackertolookatdata,files,etc.thathe/sheshouldnotbe

allowedtosee.• Man-in-the-Middle:Placingamaliciousmachineinthenetworkandusingittointercept

traffic.• SessionHijacking:Stealinganotheruser'ssessioncookietomasqueradeasthatuser.• Cross-SiteScripting(XSS) orHTMLInjection:InsertingmaliciousHTMLorJavaScriptcontent

intoawebpage.• SQLInjection:InsertingmaliciousSQLquerycodetorevealormodifysensitivedata.

Informationleakagewhentheattackercanlookatdata,files,etc.thathe/sheshouldnotbeallowedtosee

• filesonwebserverthatshouldnotbethere• orhavetoogenerousofpermissions(read/writetoall)

• directoriesthatlisttheircontents(indexing)• canbedisabledonwebserver

• guessthenamesoffiles,directories,resources• see loginfail.php,try loginsuccess.php• see user.php?id=123,try user.php?id=456• see /data/public,try /data/private

Man-in-the-middleattackwhentheattackerlistensonyournetworkandreadsand/ormodifiesyourdata

• worksifattackercanaccessandcompromiseanyserver/routerbetweenyouandyourserver

• alsoworksifyouareonthesamelocalareanetworkastheattacker

• often,theattackerstillsendsyourinfobackandforthto/fromtherealserver,buthesilentlylogsormodifiessomeofitalongthewaytohisownbenefit

• e.g.listensforyoutosendyourusername/password/creditcardnumber/...

SecureHTTP(HTTPS)• HTTPS:encryptedversionofHTTPprotocol

• allmessagesbetweenclientandserverareencryptedsomeninthemiddlecannoteasilyreadthem

• serverscanhave certificates thatverifytheiridentity

SessionhijackingwhentheattackergetsaholdofyoursessionIDandmasqueradesasyou

• exploitsitesthatuseHTTPSforonlytheinitiallogin:• HTTPS:browser→server(POSTlogin.php)• HTTPS:browser←server(login.php + PHPSESSID

cookie)• HTTP:browser→server(GETwhatever.php

+ PHPSESSIDcookie)• HTTP:browser←server(whatever.php + PHPSESSID

cookie)• attackercanlistentothenetwork,getyoursessionID

cookie,andmakerequeststothesameserverwiththatsamesessionIDcookietomasqueradeasyou!• example: Firesheep

HTMLinjectionaflawwhereauserisabletoinjectarbitraryHTMLcontentintoyourpage

• Thisflawoftenexistswhenapageacceptsuserinputandinsertsitbareintothepage.

• Whatkindsofsillyormaliciouscontentcanweinjectintothepage?Whyisthisbad?

InjectingHTMLcontent8ball.php?question=lololol

• injectedcontentcanleadto:• annoyance/confusion• damagetodataontheserver• exposureofprivatedataontheserver• financialgain/loss• endofthehumanraceasweknowit

• whyisHTMLinjectionbad?Itallowsothersto:• disrupttheflow/layoutofyoursite• putwordsintoyourmouth• possiblyrunmaliciouscodeonyourusers'

computers

Cross-sitescripting(XSS)aflawwhereauserisabletoinjectandexecutearbitraryJavaScriptcodeinyourpage

8ball.php?question=alert('pwned');

• JavaScriptisoftenabletobeinjectedbecauseofapreviousHTMLinjection• masqueradeastheoriginalpageandtricktheuserintoenteringsensitivedata• stealtheuser'scookies• masqueradeastheuserandsubmitdataontheirbehalf(submitforms,click

buttons,etc.)• ...

SecuringagainstHTMLinjection/XSS• oneidea:disallowharmfulcharacters

• HTMLinjectionisimpossiblewithout<>• canstripthosecharactersfrominput,orrejecttheentirerequestiftheyare

present• anotheridea:allowthem,but escape them

htmlspecialchars returnsanHTML-escapedversionofastring

$text = "

hi 2 u & me

";$text = htmlspecialchars($text); # "

hi 2 u & me

"

AnotherXSSexample• example:Lab4,Buy-a-Grade(buyagrade.html)

• Recallthattheusersubmitshisname,section,andcreditcardnumbertotheserver,whicharethendisplayedonthepage.

• HowcanweinjectHTML/JavaScriptintothepage?Becreative...

• Whatcouldwedotostealtheuser'ssensitiveinformation?

SQLinjectionaflawwheretheuserisabletoinjectarbitrarySQLintoyourquery

• Thisflawoftenexistswhenapageacceptsuserinputandinsertsitbareintothequery.

• WhatkindsofSQLcanweinjectintothequery?Whyisthisbad?

ASQLinjectionattack• ThequeryintheSimpsonsPHPcodeis:

$query = "SELECT * FROM studentsWHERE username = '$username' AND password = '$password'"; SQL

• Aretheremaliciousvaluesfortheusernameandpasswordthatwecouldenter?

• Password:• Thiscausesthequerytobeexecutedas:$query = "SELECT * FROM students

WHERE username = '$username' AND password = '' OR '1'='1'"; • Whatwilltheabovequeryreturn?Whyisthisbad?

' OR '1'='1

Tootrue...

• injectedSQLcan:• changethequerytooutputothers'data(revealingprivateinformation)• insertaquerytomodifyexistingdata(increasebankaccountbalance)• deleteexistingdata(; DROP TABLE students; -- )• bloatthequerytoslowdowntheserver(JOIN a JOIN b JOIN c ...)• ...

SecuringagainstSQLinjection• similartosecuringagainstHTMLinjection,escapethestringbeforeyouincludeitin

yourqueryquote returnsaSQL-escapedversionofastring

$username = $db->quote($_POST["username"]);$password = $db->quote($_POST["password"]);$query = "SELECT name, ssn, dob FROM usersWHERE username = $username AND password = $password"; PHP

• replaces ' with \',etc.,andsurroundswithquotes