Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
URLRewri)ngforGood,notEvilUsingAlterna)veResourceLocatorsBryanSullivanSeniorSecurityProgramManager,SDLMicrosoA
TopWebVulnsHaveaCommonFactor
• Cross‐SiteScrip)ng▫ OWASP#1• Cross‐SiteRequestForgery▫ Growingfast• OpenRedirectPhishing▫ LotsofMSRCcases
[www.owasp.org]
Propaga)onViaPoisonedHyperlinks
• XSS▫ foo.aspx?bar=<script>alert('xss')</script>• XSRF▫ foo.aspx?ac)on=buy&symbol=GM• RedirectPhishing▫ foo.aspx?target=h_p://evil.com/foo.aspx
• Redirectors(TinyURL,bit.ly)makethingsworse
BrowserHistoryTheA
• Useanyofthefollowing:▫ Script▫ CSS▫ iframe)minga_acks
• Can’tlistall,butcancheckspecificsitesorsearches▫ www.verylargebank.com▫ www.bing.com/search?q=scarle_+johannson
[popcrunch.com]
Solu)on:PersonalizeHyperlinks
• NotURLsbutPRLs(PersonalizedResourceLocators)• Maliciouslinkcreatedbyana_ackercouldonlybeusedbyhim/her
• Wealreadyhaveanimplementa)onmechanism:
URLRewri)ng
URLRewri)nginBrief
h_p://www.site.com/foo.html
h_p://www.site.com/{sessionID}/foo.html
•Thisusuallycausesmoreproblemsthanitsolves▫ Sessionhijacking▫ Sessionfixa)on
Example
h_p://www.xbox.com/{abc123...}/rockband.aspx
RewritewithCanary,notSessionID
• Outbound:1. Servercreatessharedsecrettoken(canary)2. Storecanaryvalueinsessionstate3. RewritecanaryintoURL4. PassSIDincookieasusual
• Inbound:1. Servercomparesincomingcanaryagainststored2. Ifmissingormismatched,rejectrequest
PoisonedLinksareNowUseless
www.site.com/{a1b2...}/foo.aspx?ac)on=buy&symbol=GM
•Senditaroundinanemail•Postitonapage•Hidethepayloadwitharedirector
•Noneofthesema_er,becausevic)mcan’tuseit
HistoryTheABecomesInfeasible
• AssumeGUIDsareusedforcanaries• A_ackermustcheckallofthese:
www.site.com/{00000000‐0000‐0000‐000000000000}/www.site.com/{00000000‐0000‐0000‐000000000001}/www.site.com/{00000000‐0000‐0000‐000000000002}/
…• 3.4x1038possibili)es▫ Thiswouldtakeareally,reallylong)metocheck
StatelessAlterna)ve:TimedURLs
• Outbound:1. Getthecurrentdate/)me2. Createakeyedhashofthe)mestamp3. Writethe)mestampandhashintotheURL• Inbound:1. If)mestamporhashmissing,rejectrequest2. If)mestampandhashmismatch,rejectrequest3. If)mestampolderthanspecifiedexpira)onage(ie5
minutes),rejectrequest
PoisonedLinksareAlmostUseless
h_p://www.site.com/{07.30.2009...}/?ac)on=buy&symbol=GM
•Linksworkforeveryone,butonlyforashortlifespan▫ 5minutesorwhatevertheserverhasconfigured
•Seriouslylimitspoten)aldamage
HistoryTheAS)llInfeasible
• A_ackermustmakerequests,storekeyedhashes• Assumemillisecondgranularityfor)mestamp• A_ackermustcheckallofthese:
www.site.com/{2009‐07‐30‐T1330000000‐HASH}/www.site.com/{2009‐07‐30‐T1330000001‐HASH}/www.site.com/{2009‐07‐30‐T1330000002‐HASH}/
…
AppropriateCryptography
• Youmustincludeahashofthe)mestamp▫ Otherwisea_ackercouldcreatepoisonedURLswitharbitraryexpira)ondates(+10years)
• Youmustkeythehash▫ Otherwisea_ackercouldprecomputeavalidhash• UseSHA‐2▫ Ifyou’regoingtogotothismuchtrouble,useasecurealgorithm
LandingPages
• Youmustdesignateoneormorepagesas“landingpages”▫ Thesedonotrequirecanariesorkeyed)mestamps▫ Otherwisenoonewillbeabletousethesite
[poandpo.com]
BypassingDefenses
• ExternalXSSwillcompletelydefeatthesedefenses▫ Landingpage▫ Differentapplica)on,samedomain• UseXSStoinjectXHR▫ Readtoken+redirect▫ Readtoken+modifyDOM
• POSTredirec)onwilldefeat)medURLs
TemporaryURLBypassTechnique
1. A_ackersetsupmaliciouspage[www.evil.com]2. Whencalled,maliciouspagesendsrequestto
protectedpagetodeterminevalidtoken3. Maliciouspagethenredirectsusertovalidpage
• A_ackernowonlyneedstolureusertohismaliciouspageasusual▫ Phishing,etc
OtherUnfortunateSideEffects
• Can’temaillinks• Can’tbookmarklinks• Searchenginescan’tindexthesite
BestUsageScenario
• Don’tapplytoen)resite• Applytosecuresubdomain
• www.verylargebank.com(regularURLs)▫ Loca)ons,hours▫ Currentinterestrates• secure.verylargebank.com(alterna)veURLs)▫ Accountbalances▫ Transfers
Conclusions
• Alterna)veURLscanbeusefulasdefense‐in‐depth• Don’tjustapplythemglobally• Con)nuetofind&fixvulnerabili)es
• Moreresources▫ MSDNMagazine,March2009,SecurityBriefs▫ blogs.msdn.com/sdl▫ Myalias:bryansul