Web Application Security

Introduction

3 Tier Web Application Architecture: HTTP Client -> HTTP Server -> Application Server (Business logic) -> Database Server

Untrustworthy Client: The golden rule of web application security is that the client is never trust worthy.

Conflicting requirements:

1. Functional Requirement: we need to mix code with data(blog comments)
2. Security Requirement: never mix code with data

Validation

• Whitelisting: Effective but limited.
• Blacklisting: Good but not safe enough.
• Escaping: Transform some special char into something else.

Cross Site Scripting[XSS]

Cross site scripting is a vulnerability by means of which client-side code can be injected in a page.

Cookie theft or session hijack

Manipulation of a session and execution of fraudulent transaction

Snooping on private information

Effectively bypasses the same-origin policy

Drive by Download

1. Stored XSS: The attacker input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.存储型XSS，又称持久型XSS，他和反射型XSS最大的不同就是，攻击脚本将被永久地存放在目标服务器的数据库和文件中。这种攻击多见于论坛，攻击者在发帖的过程中，将恶意脚本连同正常信息一起注入到帖子的内容之中。随着帖子被论坛服务器存储下来，恶意脚本也永久地被存放在论坛服务器的后端存储器中。当其它用户浏览这个被注入了恶意脚本的帖子的时候，恶意脚本则会在他们的浏览器中得到执行，从而受到了攻击。比如用<script>镶嵌恶意脚本在某帖子，浏览者均会中招。可以看到，存储型XSS的攻击方式能够将恶意代码永久地嵌入一个页面当中，所有访问这个页面的用户都将成为受害者。如果我们能够谨慎对待不明链接，那么反射型的XSS攻击将没有多大作为，而存储型XSS则不同，由于它注入的往往是一些我们所信任的页面，因此无论我们多么小心，都难免会受到攻击。可以说，存储型XSS更具有隐蔽性，带来的危害也更大，除非服务器能完全阻止注入，否则任何人都很有可能受到攻击。
2. Reflected XSS:反射型XSS，又称非持久型XSS。之所以称为反射型XSS，则是因为这种攻击方式的注入代码是从目标服务器通过错误信息、搜索结果等等方式“反射”回来的。而称为非持久型XSS，则是因为这种攻击方式具有一次性。攻击者通过电子邮件等方式将包含注入脚本的恶意链接发送给受害者，当受害者点击该链接时，注入脚本被传输到目标服务器上，然后服务器将注入脚本“反射”到受害者的浏览器上，从而在该浏览器上执行了这段脚本。比如攻击者将如下链接发送给受害者： http://www.targetserver.com/search.asp?input=<script>alert(document.cookie);</script>当受害者点击这个链接的时候，注入的脚本被当作搜索的关键词发送到目标服务器的search.asp页面中，则在搜索结果的返回页面中，这段脚本将被当作搜索的关键词而嵌入。这样，当用户得到搜索结果页面后，这段脚本也得到了执行。这就是反射型XSS攻击的原理，可以看到，攻击者巧妙地通过反射型XSS的攻击方式，达到了在受害者的浏览器上执行脚本的目的。由于代码注入的是一个动态产生的页面而不是永久的页面，因此这种攻击方式只在点击链接的时候才产生作用，这也是它被称为非持久型XSS的原因。
3. DOM Based XSS:通常这个页面作为用户欢迎页面, 例如:http://www.vulnerable.site/welcome.html?name=Joe,然而，如下的一个请求: http://www.vulnerable.site/welcome.html?name=<script>alert(document.cookie)</script>将产生xss条件。让我们看看为什么：受害者的浏览器接收到这个链接，发送HTTP请求到www.vulnerable.site并且接受到上面的HTML页。受害者的浏览器开始解析这个HTML为DOM，DOM包含一个对象叫document，document里面有个URL属性，这个属性里填充着当前页面的URL。当解析器到达javascript代码，它会执行它并且修改你的HTML页面。倘若代码中引用了document.URL，那么，这部分字符串将会在解析时嵌入到HTML中，然后立即解析，同时，javascript代码会找到(alert(…))并且在同一个页面执行它，这就产生了xss的条件。\

SXSS
<script>
   alert('JavaScript Executed');
</script>

DBXSS
<script>
    document.write("<b>Current URL</b> : " + document.baseURI);
</script>

Same Origin Policy: all client-side code (e.g., JavaScript) loaded from origin A should only be able to access data from origin A[Origin = ]

Solution of XSS

Blacklisting: BAD

Escaping

CSP

SQL Injection

SELECT * FROM Users WHERE username='cesare' AND password='secret;)';

But in SQL ‘–’ means comment! We could have username as cesare’;–

SELECT * FROM Users WHERE username='cesare';--' AND password='';

Or even without a user name, we insert into username of ‘ OR ‘1’=’1’;–

SELECT * FROM Users WHERE username='' OR '1'='1';--' AND password='';

Even Retrive more!

SELECT name, phone, address FROM Users WHERE Id='' UNION ALL SELECT name, creditCardNumber,CCV2 from CreditCardTable;--';

Or Insert! Here in the username we fill in cesare’, ‘30L’)–

INSERT INTO results VALUES (NULL, 'cesare', '30L')--', '18')

Solution of SQL Injection

Filering: could be a bad for the password field

URL Tampering

Do the hacking by changing the url. Like insert a path in the url.

Password Security

Cookies

Cookies Store the client information.

Original Idea: Site Customization

Abuse: Privacy Violations

Dangeous Idea: User Authentication and sessions

Since HTTP is stateless, hijacking can occur:

• By stealing a cookie with an XSS attack
• By brute forcing a weak session id parameter

Cross-Site Request Forgery (CSRF)

Forces an user to execute unwanted actions (state-changing action) on a web application in which he is currently authenticated (e.g., with cookies).登录受信任网站A，并在本地生成Cookie。然后在不登出A的情况下，访问危险网站B。There should be state-changing action in the page that needs to be protected against CSRF.

Key Concept: malicious requests (e.g., crafted links) are routed to the vulnerable web application through the victim’s browser: Websites cannot distinguish if the requests coming from authenticated users have been originated by an explicit user interaction or not.

Solution: Use Session tokens, random challenge token, it could associated to user’s session (unique) and regenerated at each request (e.g., for form involving sensitive operations)

Network Protocal Attacks

Denial of Service (against availability): service unavailablt to legitimate users

Examples: Killer Packets, SYN Flood, Smurf/multiplication/amplification attacks, Distributed DoS

Killer Packets

Ping of Death-攻击者故意发送大于65535字节的ip数据包给对方。

Teardop-向目标主机发送损坏的IP包，使其难以被目标主机重新组合。只需要几个数据包，就可以使目标主机卡死,蓝屏,重启。

Land Attack-srcIP==dstIP, loop and lock up a TCP/IP stack.

SYN Flood Attacks

Attacker generates a high volume of SYN requests with spoofed source address. Many half-open TCP/IP connections fill the queue.

Solution: SYN-cookies avoid this: reply with SYN+ACK but discard the half-open connection, and wait for a subsequent ACK.

Distributed DoS

Botnet: network of compromised computers, called bots (i.e., infected by malware).

C&C: dedicated command-and-control infrastructure so that the attacker (botmaster) can send commands to the bots.

The attacker sends ICMP packets with spoofed sender (victim) to a broadcast address(并不是像上文中的攻击一样attacker向victim发送攻击包，而是attacker假装是victim发送多个包给很多的host,host回复给victim使victim的bandwidth被填满).注意Amplification Hell， 对于不同的protocol，很有可能发送的包的大小和ACK包的大小倍数相差很大。

Sniffing (against confidentiality): abusive reading of network packets

Solution: Use switched networks as opposed to hub-based networks.

Spoofing (against integrity and authenticity): forging network packets

First come, first trusted! An attacker can forge replies easily: lack of authentication.

IP address spoofing

The IP source address is not authenticated. Changing it in UDP or ICMP packets is easy. However, the attacker will not see the answers, because they will be sent to the spoofed host (blind spoofing). But if the attacker is on the same network, s(he) can sniff the rest, or use ARP spoofing.

正常的三次握手

被劫持的三次握手

TCP Session Hijack

Taking over an active TCP session if the attacker (C) can sniff the packets:

1. C follows the conversation of A and B recording the sequence numbers.

2. C somehow disrupts B’s connection (e.g. SYN Flood): B sees only a “random” disruption of service.

3. C takes over the dialogue with A by spoofing B address and starting with a correct ISN. A suspects nothing.

The attacker can avoid disrupting B’s session and just inject things in the flow only if s(he) is a man in the middle and can control/resync all the traffic flowing through.

Man in the middle: A broad category comprising all the attacks where an attacker can impersonate the server with respect to the client and vice-versa

Spanning Tree Protocol

The STP (802.1d) avoids loops on switched networks by building a spanning tree (ST). Switches decide how to build the ST by exchanging BPDU (bridge protocol data unit) packets to elect the root node. BPDU packets are not authenticated, so, an attacker can change the shape of the tree for sniffing or ARP spoofing purposes.

DNS Poisoning

When a non-authoritative DNS server receives a request to resolve a domain name:

• If it cached the answer, it answers
• If no answer in cache: Recursion - resolves the name on behalf of the client OR Iterative - gives the authoritative DNS address.

How to Poison the Cache?

1. The attacker makes a recursive query to the victim DNS server: it will contact the authoritative server.
2. The attacker spoofs the answer impersonating the authoritative DNS server. And the server will trust it

DHCP Poisoning

The attacker can intercept requests, be the first to answer, and client will believe that answer. It’s a denial of service attack, an attacker sends forged DHCP requests to the server and leases all the available IP’s thus the legitimate clients will not get an IP assigned; or the Attacker may send bogus request/replies luring the client to connect to attacker’s machine instead of valid DHCP server. It happens because the DHCP protocol does not support authentication, the client must blindly believe any DHCP offer that it sees; thus, an arbitrary client can race (and win) against the real DHCP Server.

ICMP Redirect

Tells an host that a better route exists for a given destination, and gives the gateway for that route.

The attacker can forge an ICMP redirect packet to elect his/her computer as the gateway.

Secure Network Architectures

Firewall

Firewall is network access control system that verifies all the packets(traffic) flowing through it. It has to be the ONLY point between a network and outside network. It has two functions usually: IP Packet Filtering, Network Address Translation.

It may be powerless against insider attacks and unchecked path.

Firewall itself is a computer, but most times it is only an embedded appliance with just a firmware.

Network layer firewall

Packet filters

Stateful packet filters

Application layer firewall

Circuit level firewall

Application proxies

Packet Filters

Packet by packet processing. Decodes the IP header - SRC and DST IP/port, Protocol Type, IP options.

It is stateless and cannot track TCP connections, but it could sets a set of rules in the packet processing (block/allow/log).

Stateful(Dynamic) Packet Filters

Include network packet filters, plus 1. track the TCP state machine, 2. track connections without adding response rule.

It could logging and accounting on connections.

Session Handling

A session is an atomic transport layer exchange of application data between 2 hosts(TCP/UDP). It is fundamental for NAT.

NAT Session Initialization

Circuit Firewalls

Client connects to a specific TCP port on the firewall, which then connects to the address and port of the desired server (not transparent!). (EG: SOCKS)

Application Proxies

Same as circuit firewalls, but at application layer.

Inspect, validate, manipulate protocol application data (e.g., rewrite HTTP frames).

Dual/Multi Zone Architectures

Problem: if we mix externally accessible servers with internal clients, we lower the security of the internal network.

Solution: we allow external access to the accessible servers, but not to the internal network.

General idea: split the network by privileges levels. Firewalls to regulate access.

DMZ - demilitarized zone: On the DMZ no critical or irreplaceable data. The DMZ is almost as risky as the Internet.

Virtual Private Network: VPN

Target: Ensure CIA to data transmitted over a public network (i.e., the Internet).

Solution: VPN, an encrypted overlay connection over a (public) network.

TWO MODES OF VPN

Full tunnelling: Every packet goes through the tunnel/ Traffic multiplication, could be inefficient/ Single point of control and application of all security policies as if the client were in the corporate network.

Split tunnelling: Traffic to the corporate network: in VPN/ traffic to the Internet: directly to ISP/ More efficient, less control./ Just similar to the case of the PC connected via 3G.

Network Security: SSL and SET

Introduction

Problems of remoteness: Trust factor between parties/Use of sensitive data/Atomicity of transaction

Internet protocol problems: Authentication//Confidentiality/Transparence and critical mass problem

HTTP over SSL (Secure Socket Layer), or HTTPS

Communication confidentiality and integrity/Mutual authentication/No guarantees on data usage/No strict authentication of client (in practice)

SSL

SSL enforces: Confidentiality and integrity of the communications/Server authentication/Client authentication (optionally)/Uses both symmetric and asymmetric cryptography for performance reasons

SSL is by design resistant to MITM!

PROS: Protects transmissions: Confidentiality/Integrity/Ensures authentication of server/client (optionally)

CONS: No protection before or after transmission on server/client (e.g. trojan)/By abuser (e.g. non-honest merchant)/Relies on PKI/Not foolproof

SET (Secure Electronic Transaction)

Guarantees on data usage and transaction security enforcement/Missing critical mass support. Uses the concept of a dual signature(将两条消息hash各自hash成一个digest，然后将两个digest hash成一个digest来确保两条消息都没有被修改过).

Approach

1. Customer browses website and decides on what to purchase
2. Customer sends order and payment information, which includes 2 parts in one message: a. Purchase Order – this part is for merchant,b. Card Information – this part is for merchant’s bank only.
3. Merchant forwards card information (part b) to their bank
4. Merchant’s bank checks with Issuer for payment authorization
5. Issuer send authorization to Merchant’s bank
6. Merchant’s bank send authorization to merchant
7. Merchant completes the order and sends confirmation to the customer
8. Merchant captures the transaction from their bank
9. Issuer prints credit card bill (invoice) to customer

hash 1: hash of order information

hash 2: hash of pay instruction