Upload
wil-ferraciolli
View
506
Download
0
Embed Size (px)
Citation preview
Computer Security Management(ISYS20261)Lecture 9 - Web application attacks
Module Leader: Dr Xiaoqi Ma
School of Science and Technology
Computer Security ManagementPage 2
Today ...
… we will discuss:
• Session Hijacking
• Code injection
• Cross-site scripting (XSS)
• Pharming
• URL spoofing
Computer Security ManagementPage 3
HTTP cookie (1)
• An HTTP cookie is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website.– When the user browses the same website in the future, the data stored in the
cookie can be retrieved by the website to notify the website of the user's previous activity.
• Introduces state into HTTP transactions, used by Web servers to differentiate users and to maintain data related to the user
• Data in cookie might be random or meaningful
• Server has to maintain a database of cookies
• Specification:– four kilobytes of data each
– Browser stores at least 300 cookies
– at least 20 cookies per server or domain
Computer Security ManagementPage 4
HTTP cookies (2)
Server Client1 Client2
Page Request()
page data + cookie1()
page request + cookie1()
page request + cookie2()
page data()
page data()
• Example
Computer Security ManagementPage 5
Session hijacking
• Session IDs: – typically granted to a visitor on his first visit to a site
– may become invalid after a certain goal has been met
– often used to identify a user that has logged into a website
– often long randomly-generated string
• Session hijacking: – attacker using captured, brute forced or reverse-engineered session IDs to seize
control of a legitimate user's session while that session is still in progress
– often servers perform additional verification of the client, e.g. locking a session ID to the client's IP address
– simple and effective measure as long as the attacker cannot connect to the server from the same address
Computer Security ManagementPage 6
Session sidejacking
• Attacker uses packet sniffing to read network traffic between two parties to steal the session cookie
• Often web sites use SSL encryption for login pages but do not use encryption for the rest of the site once authenticated
• Attackers then can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client
• Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised
• Unsecured WiFi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point
Computer Security ManagementPage 7
Code injection
• Breaking into applications by processing invalid data
• Used by an attacker to introduce code into a computer program to change the course of execution
• Examples– SQL injection
– PHP injection
– Etc.
Computer Security ManagementPage 8
SQL injection example
• Takes advantage of the syntax of SQL to inject commands that can compromise the meaning of the original query
• Statement – SELECT * FROM users WHERE name = '" + name + "';
• If user enters a' or 't'='t for name statement changes to– SELECT * FROM users WHERE name = 'a' OR 't'='t';
• Forces the selection of all valid usernames because the evaluation of 't'='t' is always true!
• Defence:– Input validation
– Escaping dangerous characters
– Etc.
Computer Security ManagementPage 9
Cross site scripting (XSS) (1)
• Possible in web applications which allow code injection by malicious web users into the web pages viewed by other users
• Examples:– HTML code
– client-side scripts
– etc
• Can be used by attackers to bypass access controls
• 2007: cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities
• Usually the end-user does not notice that he/she is subject to unauthorized access, theft of sensitive data, and financial loss
Computer Security ManagementPage 10
Cross site scripting (XSS) (2)
• Different Types:– Type 0: Document Object Model (DOM)-based
– Type 1: Non-Persistent (reflective)
– Type 2: Persistent
• Type 1 most common, type 2 most dangerous
Computer Security ManagementPage 11
Type 0
1. Ivan sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page
2. Alice clicks on the link
3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer
4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone
5. Ivan’s malicious script now may run commands with the privileges Alice holds on her own computer
Computer Security ManagementPage 12
Type 1 (1)
1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, e.g. billing information
2. Ivan observes that Bob's website contains a reflected (type 1) XSS vulnerability
3. Ivan crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (spoofing)
4. Alice visits the URL provided by Ivan while logged into Bob's website
5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script steals sensitive information and sends this to Ivan’s web server without Alice's knowledge
Computer Security ManagementPage 13
Type 1 (2)
• Website that offers search functionality:
http://website.com/?search=name
• Website echoes (reflects) input without checking:
<p>You were looking for: name</p>
• If <script type="text/javascript">alert("XSS")</script> is used for name:
• Server echoes script that is then executed locally:
<p>You were looking for: <script type="text/javascript">alert("XSS") </script></p>
Computer Security ManagementPage 14
Type 2 (1)
1. Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members
2. Ivan notices that Bob's website is vulnerable to a type 2 XSS attack
3. Ivan posts a message that contains a (hidden) script
4. By viewing the posted message, site users' session cookies or other credentials could be taken and sent to Ivan's web server without their knowledge
5. Later, Ivan logs in as other site users and posts messages on their behalf....
Computer Security ManagementPage 15
Type 2 (2)
• If a web site offers a guest book facility:
• Attacker enters for example:
Nice web site!<script type="text/javascript">alert("XSS")</script>
• Ever user who reads the guest book executes the attacker’s script!
Computer Security ManagementPage 16
Pharming
• Attempt to subvert DNS systems to redirect network traffic to a malicious system
• Can be achieved by– attacking DNS servers, planting bogus data in their cache so that when a site's
IP address is requested that of the attacker’s site is supplied instead
– changing the hosts file on the local system so that certain sites will be redirected
• Victim's attempts to access certain sites will be redirected silently and invisibly
• Can be hard to detect locally
Computer Security ManagementPage 17
URL spoofing
• Common way to redirect a user to a web site that looks authentic
• This web site might be a spoof with templates that look identical to the actual web site
• User enter their login information to these fake web site: providing the attacker with data that can be used to enter the real web site
• Example: [email protected] looks like a URL to the google search engine but in reality it is a URL to the members.aol.com server!