![Page 1: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/1.jpg)
Security
![Page 2: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/2.jpg)
What about MongoDB? ● Even though MongoDB doesn’t use SQL, it
can be vulnerable to injection attacks db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < req.body.input; } } ); db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < 0; var date = new Date(); do {curDate = new Date();}while(curDate-date<10000); } } );
![Page 3: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/3.jpg)
Protection ● Don’t use $where, mapReduce, group which
accepts arbitrary JavaScript expressions ● security.javascriptEnabled = false ● Escape all user inputs before passing to
$where clause
![Page 4: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/4.jpg)
Same Origin Policy Motivation ● Users visit many websites at a same time using browser
tabs or multiple windows ● A webpage may include some JavaScripts to access its
DOM and send AJAX msgs to its backend o What if the script can also do same with other websites?
● A website must not steal sensitive information from another website opened by the same browser
![Page 5: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/5.jpg)
Same Origin Policy Let users visit untrusted websites without those websites interfering with user’s session with honest websites
![Page 6: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/6.jpg)
Same Origin Policy What is allowed? ● GET/POST requests to different origins
o Not PUT, DELETE ● <script src=”other domain/script.js”>
o similarly including <img>, css, etc Relaxation Methods ● document.domain, CORS, JSONP
![Page 7: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/7.jpg)
XSSI ● Cross-site script inclusion
o <script src=”URL”></script> ● What is script’s origin?
o Including document’s origin; therefore, the document has full access to the script’s content
● What if URL returns a dynamically created JavaScript instead of a JavaScript file?
![Page 8: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/8.jpg)
XSSI <script src=”http://yourapp.com/secret”></script> ● If http://yourapp.com/secret returns a JavaScript with
sensitive data and some functions… o Functions can be replaced with attacker’s version
and sensitive data can be stolen ● If http://yourapp.com/secret returns a JSON array…
o Attacker can override JSON array constructor to steal array contents
![Page 9: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/9.jpg)
XSSI
![Page 10: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/10.jpg)
XSSI Protection ● Do not support GET requests for script
returning URLs o <script src=”...”></script> sends GET requests
● Use XSRF tokens (will talk later) ● Do not include sensitive data
![Page 11: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/11.jpg)
XSS ● XSS enables attackers to inject scripts into
webpages viewed by other users o bypasses same origin policy
● Injected script can do many things o steal cookies o change appearance of webpages o steal sensitive data displayed on webpages o ...
![Page 12: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/12.jpg)
XSS ● There are mainly 3 types
o Reflected XSS o Stored XSS o DOM-based XSS
● They are different in how scripts are injected to webpages
![Page 13: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/13.jpg)
Reflected XSS
![Page 14: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/14.jpg)
Stored XSS
![Page 15: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/15.jpg)
Injection Points ● query parameters ● form fields ● cookies ● HTTP request header ● DB ● filesystem
o PHP
![Page 16: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/16.jpg)
XSS Protection ● Input validation ● Output validation ● HttpOnly option for cookies
![Page 17: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/17.jpg)
XSS Protection express.js ● express-validator module ● sanitizer module ● xss-filters module ● and many more.. Django ● templates
![Page 18: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/18.jpg)
XSRF ● XSRF makes a user to submit requests on
behalf of the attacker
![Page 19: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/19.jpg)
Why XSRF works? ● Same Origin Policy allows sending GET/POST requests
to different origins o hyperlinks, forms, script, img, css, etc
● User’s browser automatically submits cookies for all requests
● Whether a user intended a request or forced by an attacker is unknown to websites!
![Page 20: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/20.jpg)
XSRF Protection ● Give a secret token to a user and tell the
user to submit it along with cookie on following requests
● Attacker cannot guess this token and therefore websites can tell if the user wanted to send a request or not
![Page 21: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/21.jpg)
XSRF Protection
![Page 22: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/22.jpg)
XSRF Protection
![Page 23: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/23.jpg)
XSRF Protection express.js ● csurf module Django ● CsrfViewMiddleware
![Page 24: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/24.jpg)
XSS Demo Setup: git clone https://github.com/sukwon0709/express.git cd express npm install npm install express-‐validator Running: node example/auth
![Page 25: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/25.jpg)
XSS Demo
Input <script>alert(‘you are hacked!’);</script> to Username field
![Page 26: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/26.jpg)
XSS Demo
![Page 27: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/27.jpg)
XSS Demo To test fixed version using express-validator.. cp examples/auth/index.js examples/auth/index_bad.js cp examples/auth/index_fixed_xss.js examples/auth/index.js node examples/auth
![Page 28: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/28.jpg)
XSS Demo
Input <script>alert(‘you are hacked!’);</script> to Username field
![Page 29: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/29.jpg)
XSS Demo
![Page 30: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/30.jpg)
XSS Demo Look at comments starting with XXX (soh) to see how to use express-validator module.
![Page 31: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/31.jpg)
XSRF Demo Setup: 1. npm install csurf 2. Run node examples/auth again 3. Open xsrf.html file on your browser 4. Look at terminal output
![Page 32: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/32.jpg)
XSRF Demo
![Page 33: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/33.jpg)
XSRF Demo A user logged in to auth app by just opening xsrf.html page.
![Page 34: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/34.jpg)
XSRF Demo To test fixed version using csurf module.. cp examples/auth/index.js examples/auth/index_xsrf.js cp examples/auth/index_fixed_xsrf.js examples/auth/index.js cp examples/auth/views/login.ejs examples/auth/views/login_xsrf.js cp examples/auth/views/login_fixed_xsrf.js examples/auth/views/login.djs
Run with: node examples/auth open xsrf.html on your browser
![Page 35: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/35.jpg)
XSRF Demo Browser shows:
![Page 36: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/36.jpg)
XSRF Demo Terminal shows:
![Page 37: Securitymashiyat/csc309/Tutorial/SecurityTutorial.pdf · Security . What about MongoDB? Even though MongoDB doesn’t use SQL, it ... o PHP . XSS Protection Input validation Output](https://reader034.vdocuments.net/reader034/viewer/2022042803/5f4ea2ba9a1f3f1860550162/html5/thumbnails/37.jpg)
XSRF Demo Look at comments on index_fixed_xsrf.js and views/login.ejs to figure out what you need to do.